Many critical apps have a biometric lock on them every time you raise them. It's not because people go around leaving their phone unlocked...
Home isn't one of those apps. But there are ways to require authentication to open an app -- this might help:
In the interests of enhanced privacy, some third-party iOS apps include an option to require passcode or Face ID authentication before they can be...
www.macrumors.com
Note though that you'd also want to lock down the Control Center, remove the Home button from there, as that will let you turn on lights and things without unlocking the phone. Siri will also let you control Home functions on a locked device I believe. The takeaway here is that once a device is trusted and added to a HomeKit Home, it gets permission to do things without a lot of friction. Same with HomePods. This is all by design, so you're not having to jump through a bunch of hoops to turn off a light or something.