No, the exploit is against the BIOS. It involves an attacker with escalated privileges in the OS using this exploit to further escalate to ACE in the BIOS.
That said, if you lose your laptop and it is not encrypted you can safely assume the thief has full access, locked or not.
Does this allow executing code to flash unsigned customized BIOSes without disassembling the laptop to flash the BIOS chips through hardware (which works in the absence of Intel Boot Guard)?
I'm not an expert (so take this with a grain of salt), but by my understanding that should be theoretically possible. However, I'm not aware of any successful attempts.
Reading from Lenovo's advisory, it's not just Lenovo that is affected, but everyone who uses the reference UEFI implementation Tianocore is affected (and as far as I know AMI and Insyde also used parts of Tianocore but I can't say if they copied the affected part)
What are "elevated privileges"? If I lose my laptop and it's locked, can someone execute arbitrary code with this?