The particular attack vector mentioned in the original post could be mitigated by not allowing users to change their iCloud password from their unlocked mobile devices without either additional Face ID verification or entering their current iCloud password.
Furthermore, the ability to log yourself out from all other devices seems more harmful than useful, too. Other than all of my other devices having been stolen, what's the potential use case here? If my iCloud password has been compromised but I still have a device that password is currently used on, why wouldn't I be want to still be logged in on that device for the time being?
Other than that, some alternative way of remotely wiping and bricking a stolen could be helpful and might work as a deterrent for thieves, too. For example, similar to how 1Password does this, Apple could allow their iCloud users to generate a master key that would authenticate in such a situation and authorize them to carry out such actions.
Furthermore, the ability to log yourself out from all other devices seems more harmful than useful, too. Other than all of my other devices having been stolen, what's the potential use case here? If my iCloud password has been compromised but I still have a device that password is currently used on, why wouldn't I be want to still be logged in on that device for the time being?
Other than that, some alternative way of remotely wiping and bricking a stolen could be helpful and might work as a deterrent for thieves, too. For example, similar to how 1Password does this, Apple could allow their iCloud users to generate a master key that would authenticate in such a situation and authorize them to carry out such actions.