That’s good to know. Also from a quick search it seems that Samsung devices have by default locked bootloaders now, which means that my 2nd sentence in my 3rd paragraph is totally irrelevant because if they were flashing unofficial software or recovery they couldn’t boot it up anyway.

It should be safe.

Any Android device shipped with Android 5+ has encryption turned on by default and since Android 10 File-Based Encryption is compulsory which is a stronger protection.

If they reset the phone, apart from formatting, the encryption key gets erased too. If they try to modify the software (e.g. rooting, custom recovery or ROM) the Knox bit gets triggered and the phone automatically deletes all your data as per my knowledge.

So if they don’t guess your PIN correctly or use an unpatched vulnerability, which is highly unlikely, they can’t access your data.

You don’t have to go back that much, my Galaxy Ace 3 LTE (released in 2013) only received 1-2 updates which didn’t really change anything, but with custom ROMs it was really great phone. It made me to switch to Xiaomi (first to a Redmi 3S, ended up using custom ROMs as well, after that a Redmi Note 7, no custom ROMs, I also really liked them both, especially the latter), but now the tables have turned again, I’m back using a Galaxy A54.

It’s amazing to see that midrange phones can serve me for years now not only by hardware, but finally with decent software support too.