[gant]

A lot of banking apps store cached transaction data and authentication tokens on the "protected" (not accessable to non-root from other apps) part of the data partition. If you run without encryption or with either unlocked bootloader or TWRP installed, someone could just pull that from a device in recovery mode. That's also why unlocking the bootloader wipes your data partition usually.

[kuschku]

And that matters how?

At least all German banks have to have an open API for transactions, and I can run my transactions with curl if I wanted to.

A banking app shouldn't care about how I run it, otherwise I'll just throw it out and use one of the open apps for HBCI.

[h4waii]

This should be OR. If you have FDE enabled, then the data is encrypted and it doesn't matter if your bootloader is unlocked or you have a custom recovery installed -- all caveats about the trustworthiness of the crypto and strength of your key still apply.