I noticed that certain versions of macOS would leak small amounts of spotlight indexed data to any USB drive that was inserted into the system, even when locked. The project named spotPlight was the result of automating the extraction of this data. I found that rapidly inserting and removing up to 128 emulated USB drives at a time into macOS system using a raspberry pi, that it was possible to exfiltrate data from a screenlocked macOS system even with filevault enabled.

A full writeup can be found here: https://fyrmassociates.com/blog/2018/12/01/macos-spotlight-data-leak/

spotPlight github repo: https://github.com/fyrm/spotplight/