It's also the weak point - do you trust your domain provider he won't allow a domain move / access based on parts of your personal information, like here [0]?
You shouldn't use the almost-scammers of GoDaddy as an example. Whenever I hear any Domain horror story it's about GoDaddy, it seems like a bad idea to extrapolate from them.
Yes, my main domain is locked by the registry and transfer requires some form of state ID validation with the registry to unlock the domain, before a registrar can transfer the domain.
Should be good enough protection against social engineering targeting registrars.