This is the main problem - I want the ability to say "this app should be authenticated whenever my phone is unlocked" - I trust that the timeouts on my phone will protect me from the unlikely "grab" attack, and I can remotely lock it anyway.

I do NOT want to have to sign in a billion times a day, even if it's relatively quickly with FaceID or similar.