According to the Google support site, all Pixels are encrypted by default. So, this shouldn't even be possible...unless perhaps there was no lock code on the device?
Do you have a source for that? I didn't think the phone's encryption key or password was backed up to Google. The help pages say that if you forgot your PIN, you should reset your phone.[1][2]
Of course Drive and Photos files are in Google servers and aren't E2E encrypted, but I don't think that's what you're talking about.
Full disclosure I work at Google but on nothing related to this.
I think out in the real world they are insecure because it's easy to shoulder-surf and get a peek at the pattern being input. Overall they are probably similar to pin codes... some people just have 0000 as their pins, or draw an L for a pattern.
Sending a phone in for repair negates the shoulder-surf issue but yeah.
I think it's easy to guess patterns because people all use one of a small number of simple patterns. Everyone uses the geometrical equivalent of hunter2 or 123456, but they irrationally think it's more secure because it's a pattern.
1. Easy to view & remember.
2. The oil smear is visible in reflected light, and that pattern is not quickly overwritten by using the device.
3. Typical gesture patterns mean gestures start from similar positions (high) and are frequently unoriginal.
4. Gestures are simpler than the equivalent code (e.g. the passcodes 1397 and 1235987 are gesturally identical)
5. In practice the reality of finger sizes mean that join-the-dots encourages users to draw a gesture using only adjacent dots (e.g. connecting dot 1 to 2, 4 or 5, rather than 1 to 6 or 8.)