Regarding my app to penetration test report

in my app, i was saving database encryption key/login session token into keychain with "afterFirstUnlock" setting. During the pentest phase, pentesting vendor insist application should set "setPasscodeThisDeviceOnly" for sensitive data stored keychain.

My question is: is it normal to assume every end-user has enabled passCode on his device? so that, I can just switch to this setting without any issue?

I would say not. Based on casual observation, there are many folks walking around with unsecured phones.

I don’t think I’ve ever seen an iPhone without a passcode (and Touch/Face ID). Though some probably have it disabled. But I would think it rare.

However iPads are commonly shared devices, especially in families, and are often unsecured.