It depends, @CransNeighbour did a great writeup here:
But that only applies to stock FPOS, because Factory Reset Protection is tied to a Google account.
CalyxOS for example disables OEM unlocking after the first successful boot automatically, according to one of the devs…
Also when CalyxOS is locked we automatically set OEM unlocking to off aka unlock ability to 0
But it only happens after a successful boot and thus is safe
…but I have no idea what’s the benefit of disabling OEM unlocking in a custom ROM 
(Other than making disaster recovery harder)
Either way, since IMEIs can be blocklisted, a stolen phone is probably not that useful to a thief anyway.
The data on it is probably more valuable and that is encrypted.
Locked or unlocked bootloader gets more interesting if you deal with adversaries that want to modify your device, for example to spy on you. But most people probably don’t live under a threat level where that becomes relevant.