I think it's a mistake to assume that just because the initial burglar is technically unsophisticated, that's the end of the story. Crime can become surprisingly complicated, with its own supply chains, service providers and tool vendors, specializations, middlemen, etc. (Credit card fraud is a good example.)

Imagine how your threat-model can change if the thief—still incurious and unsophisticated—just happens to "know a guy":

1. A thief steals your computer, with no thought to who you are or what you might have on it.

2. The computer is passed to a fence for a predictable immediate cut.

3. The fence sees a lot of these computers (or phones), and knows that there are ways to extract more profit.

4. The fence has a relationship with a data extractor, and runs a provided program that gleans as much exploitable data as possible before reselling the hardware.

5. The data-extractor sees those tax files pop up, and sells those details to another criminal group that specializes in tax fraud.

If a system exists to "use every part of the buffalo", then pretty much anything can cause you damage. I'm sure somebody is already developing tools to scan a drive trying to determine likely names of your first-pet for those stupid account recovery questions.