[SuperShibe]

Couldn't an attacker just swap the sensor? This seems like something that higher law enforcement likely already did.

Also couldn't you avoid this problem entirely be just making the dot projector use an unique pattern for each unlock attempt?

[formerly_proven]

"Couldn't just", might be, probably not. Face-ID is a pretty complex and very highly integrated system. The dot pattern can't be changed, because each dot in the pattern (~100 dots or so) is actually a VCSEL laser. The large constellation (>30k dots) is created by a diffractive beamsplitter. The sensor is probably custom, so I'd wager the CMOS IR sensor is actually physically the thing that's paired to the Secure Enclave. I doubt there's just an unencrypted MIPI link running from some random 1/6" OmniVision sensor to the CPU.