An app containing sensitive data can be fully encrypted. The user is prompted to tap the correct Security Key. If the correct Security Key is used, the content will be decrypted and temporary access is allowed.
New content (e.g. files, incoming messages) are encrypted without the Security Key (using the public key associated with this hardware). This allows, for example, to encrypt incoming messages directly for a messenger app without holding the Security Key against the device.
This is not a simple unlock screen, it uses real public-key cryptography to encrypt the whole app database!