Depends on the kind of attack you are worried about.
The biggest problem with an unlocked bootloader is that you lose Android Verified Boot, so you just wouldn’t notice malware that embeds itself deep into your system. At that point it doesn’t really matter what protections you have on the surface, if it can just collect all the information it needs in the background, while you are using it.
If you are mostly worried about theft, having a strong PIN/password should keep your data reasonably safe. Since your phone is unlocked, motivated attackers can obviously always pull the partitions and try to brute-force the encryption or wait for a flaw to be discovered. That’s more of a state-level attack though, robbers will probably just wipe and sell it.
If your phone is unlocked, unencrypted data is obviously fair game. Termux doesn’t have full root access by default, if you set it to ask in Magisk it doesn’t.
Personally I try to solve that whole problem by having as little sensitive stuff on the phone as possible, no banking, no ssh-keys, only necessary passwords, etc.