But how? - surely they don't store the passwords in plain text locally? Does the OS have a function to log in a user while bypassing their credentials? I would have assumed that it is impossible for the OS to preloadapps() when it doesn't have access to the user's apps in the first place.
But apparently it does! shrug
So why tell the user that they need to log in first? If they are the only user account on the system and the OS can access the user's files and apps without logging in, why have the user event set a password in the first place? It seems like a fake login, a false sense of security. And a massive security issue. If the user can just open the lid and that means that code is now running under their own account but they have not authorized a log in, that's just dangerous.