When does NSFileProtectionCompleteUntilFirstUserAuthentication prevent reading files via computer?

Question

Apple describes the NSFileProtectionCompleteUntilFirstUserAuthentication as follows (https://ssl.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf):

"This class behaves in the same way as Complete Protection, except that the decrypted class key is not removed from memory when the device is locked. The protection in this class has similar properties to desktop full-disk encryption, and protects data from attacks that involve a reboot."

Does this mean that files with that protection attribute cannot be read off of the device upon booting (but before unlocking) BUT that after the device has been unlocked, even if subsequently re-locked (with passcode required to unlock), the files could be read off of the device by connecting the device to a computer (i.e., via iTunes or iExplorer)?

Scenario:

User wakes up, boots up his iPhone, unlocks it by entering his passcode, and goes about his day. Based on his settings, the iPhone locks itself after x minutes and the passcode would be required to unlock the device. If somebody then steals/finds the locked iPhone, can the files with NSFileProtectionCompleteUntilFirstUserAuthentication be read off the iPhone if it is connected to a Mac/PC?

Thanks!

Answer 1

There is another layer of security for iOS-computer-communication in place:

As long as the screen is locked, it's not possible connect a device to a new computer.

This seems to be implemented through an RSA-based handshake, to which the keys are exchanged during the first connection; Apple doesn't publicly disclose this, but the sources of libimobiledevice, a third-party library that enables USB communication between iOS devices and Linux, seems to indicate as much.