Your PoC video to bruteforce the users pin code glosses over one important factor
A pin is not the only way to secure your device. Using a full blown password is also an option
Applications on Ubuntu Touch are confined by default. A confined application cannot use sudo.
Unconfined applications can use sudo, (unconfined apps can do anything) but they cannot be uploaded to the Open Store without being open source and passing manual review.
A user could always randomly download a malicious click package from somewhere, but even so, the user would need to purposefully install this package.
In closing, why did you not follow the path of responsible disclosure if you felt this was a serious issue warranting a CVE? Dumping the code on GitHub without giving the project time to correct the issue, or decide it is an acceptable risk, is not in accordance with responsible disclosure practices.