If one side of the communication is a fixed device subject to simple tampering (e.g. "put your phone here for access") then you can MitM the connection is much the same way as was done with ATM skimmers.
Or with a little more difficulty, you could pop open a bluetooth keyboard, put a shield over the antenna, and MitM what it says to its already-paired desktop to implement a keylogger.
These aren't remotely accessible vulnerabilities to internet hackers, but they're the kind of thing that has been done by amateurs in the past in other realms.
Agree that it would be significantly easier if you had physical access either of the devices. However, with physical access there are probably even easier attack vectors (e.g. in the case of a keyboard, why not just capture the key presses directly instead of trying to capture it as it's going over BT?).
Or with a little more difficulty, you could pop open a bluetooth keyboard, put a shield over the antenna, and MitM what it says to its already-paired desktop to implement a keylogger.
These aren't remotely accessible vulnerabilities to internet hackers, but they're the kind of thing that has been done by amateurs in the past in other realms.