Correct; but that's only because our small manufacturer didn't think properly about the consequences of providing an unlocked bootloader by default. I think later batches were supposed to come with locked bootloader again.
With LineageOS, I think you just need root by Magisk and some Magisk add-ons to gain SafetyNet attestation for your device. If I remember correctly, that also requires an "official" LineageOS build for the specific device. Also, even then there still may be some apps which refuse to work because they somehow detect that the phone is not running on its official ROM. P