Well, anyone can boot with init=/bin/sh and get access to root which will be unlocked and unencrypted. Unless there are some other means to prevent it that I am not aware of.
The way automatic unlocking is implemented cannot protect kernel command line because it happens before kernel command line becomes known.