Appreciate the thoughts. My understanding is that on Android devices, cryptographic keys are recoverable when sitting in RAM. For normal users, punching in their password once means they have their cryptographic keys in RAM until they restart their phone, even when the device is locked. If the phone hasn’t been turned off or the attacker knows how to keep the keys in RAM (e.g., with a cold boot attack, like you described), the keys can be recovered. In effect, this means the phone needs to be turned off completely and given time to “cool down” for disk encryption to work.