There's a nasty bug in iOS 14.8 and iOS 15 that lets anyone read your Notes app without unlocking your phone. They have to perform a particular set of actions, but they can make it happen if they know the trick if they have your phone in hand.
Researcher Jose Rodriguez discovered the bug, which was then covered by Apple Insider. He posted a video showing what is required to exploit it. It's a bit complicated, but anyone willing to learn the steps will be able to get access to your Notes app and any notes that aren't passcode-protected.
There are many prerequisites for the exploit to work. First, the person must have the phone in hand. The device must also have Siri enabled, Control Center available on the lock screen, and Notes and Clock included in Control Center. If those are all met, the person could then go through the process in the video below to get into Notes.
To get into the app, Rodriquez first asks Siri to turn on VoiceOver. From there, he navigates to Notes in Control Center. This will launch a new note, but it's far from the end of the process. Rodriquez relaunches Control Center, opens the stopwatch, and then selects the previously opened Notes app. Instead of the same empty note, iOS gives access to the Notes database with saved content.
Once someone has access to the Note, they can get a little creative with it. For example, VoiceOver's rotor can be used to select and copy the note. Once copied, a second phone can call the compromised one. The call will then be declined, and the note can be copied into the custom Messages response field.
Again, it's the kind of bug that requires someone to have your phone before they take anything, but it's still something that should be addressed, as you don't want anyone to be able to bypass your iPhone's lock screen.