Looks like the issue is much simpler than that. I have “Unlock with iPhone” turned on.
Can someone wear my watch near me and have it unlock when I unlock my iPhone, thereby getting into my Mac? Might try that out.
I’ve talked about Apple watch security holes before, but here’s an even worse one:
If I turn my watch off before taking it off, and put it on before turning it on, half the time, maybe more, I’m not asked to unlock it before I can use it – for anything.
Maybe it’s got some way of checking my heartbeat to be reasonably sure it’s me, but I really doubt it. I think turning the watch off stops the, “Have I been taken off?” check, and nobody thought to ensure “I absolutely have been taken off,” is set when the watch is turned back on.