(no title)

They set the vbmeta header flags field to 0x3, which effectively turns off all of AVB (Android Verified Boot). I'm guessing they do this because they want to allow the system partition to be writable (eg. for folks who flash additional things on top of LineageOS).

With unmodified LineageOS, if you configured the bootloader to use LineageOS' public key and relocked it, there would be no security benefit. To enable AVB's signature checks, the flags field needs to be set to 0, which requires re-signing LineageOS with your own key.