I do not own a FP3, so I cannot talk about the differences, but security wise there are a few things to consider:
-
Locked bootloader and flag not set (i.e. OEM unlocking disabled)
The security of your data and everything else depends on the quality of your password. A potential attacker does not have access to your data and if they were to factory reset your device they would not be able to use it, since factory reset protection (FRP) is in place. This requires the input of the credentials of the last google account connected to this device for it to be usable, your data is gone though. -
Locked bootloader and flag set
Same as above, but FRP is not active. Your data is still as secure, but an attacker could wipe your device and use it themselves. -
Unlocked bootloader, flag does not matter
Your data is still encrypted, so if someone has access to your device your data is still secure, but once you start using your phone again after getting it back the following attack vector is possible:
Since your device is unlocked, a potential attacker could flash a malicious image, that records your passwords, or waits until you decrypt your phone (= enter your password) and send all your data to their computer using the internet.
Strictly speaking you could consider your phone compromised the first time it leaves your hands and you look away.
Hope that helps 