The real solution for file protection is encryption, every other "if password == "whatever"" method is simply broken. Against some random theft it might be enough, but I always assume that not only idiots can/will eventually steal my phone and this is what you must do if you want real security.

Password input in /sbin/preinit is sufficient for your little sister, some non IT interested "friend", the thief in the metro. But this concept would be based on assumptions about your attacker. And if you want to do it right, you shouldn't underestimate the evil guys. Either way, the lock code is enough for the random, stupid thief who should be more interested in the device than in your files.

And yes HtheB is basically right. It's possible to boot another OS through an USB connection with the flasher and mount the EMMC partitions (if they are not encrypted). The question is always if a thief is smart enough to do that.

Modifing NOLO, while technically interesting(and hard), is definitly overkill.

Activate the lock code, timer 5 minutes. Encrypt the MyDocs partition(for example, with truecrypt) and swap. This will eventually destroy mass-storage mode for it if you don't patch some scripts.
There is some stuff on the home partition as well, but encrypting it requires to modify bootscripts and other stuff. For the beginning, mydocs and lock code should be enough.

If you are new to encryption, there is a learning curve. If you want to do this, read. google. read and google.

closing words:
If you want real security, you must sacrifice some usability.