I apparently missed that step when I was setting it up and installing and now I am weeks into my setup and I finally rebooted my phone and realized the bootloader is still unlocked.
Or is the Pixel 7 bootloader not relockable?
So I guess the question is, can I lock it without losing everything or can I lock it at all?
Yes it can be relocked. Put it back in fastboot mode and connect to a computer and issue this command:
fastboot flashing lock
But, by design, anytime you lock or unlock it will perform a reset of userdata so is effectively a “Factory Reset” and you will need to setup as if a new installation. Seedvault (from “System Settings”) can aide a lot, but won’t get everything. So use it for convenience but have all your important data saved outside of it as well for safety.
well crap. i was afraid you’d say that. I have backups, but i’d need to set them all up again. 
guess that’ll be after my road trip this weekend.
Yes it is a bit of a hassle, but if you take a few notes of the migration then next time will be smoother, and the time after that “even smoother smoother” 
Regarding not seeing the prompt to lock when you installed, did you install with the graphical installer or with the “manual process” using fastboot? Both should have prompted you on the device screen to lock or not, so am a bit curious how this didn’t get triggered?
I thought of it as an experiment, was deciding between iode, eos, graphene…and more importantly, I did not realize it would wipe the phone if I did it later.
I figured it would just be insecure until I did it
Discussing about bootloaders locking or not, are as old as there is a possibility to lock them. This will be an issue for a president or boss of a large company, or politician. I don’t see it very critically for ordinary use. In order to successfully use an open bootloader, you definitely need physical access.
Iodé is spoofing the Bootloader, Apps see’s the Bootloader closed. You are not really insecure.
But yes, a closed bootloader gives a better feeling.
If I would have known that before the install (locking), I would have not locked the bootloader. Good to know for the nexxttime.
same here. Installed, but kept bootloader open, thinking i can close later. now already hours of setup into iode 7.3.
Warning about this risk of timewasting should be more prominent in the setup process.
So are there any risks now leaving the bootloader open, besides looking sketchy, when booting?
Thank you
Not really, unless you see yourself as a target for an ‘Evil maid’ attack.
A couple of links wit further reading on this:
Along with the practical guidance by @petefoth and @volker01 (I fully agree, I personally am not concerned with an unlocked bootloader, as is anyone coming from LineageOS as they don’t support relocking at all), I have been trying to clarify this / give a clear disclaimer for it when devices I sell at https://openmobile.us come with an unlocked bootloader. Probably the biggest concern is the “scary boot message that your device has been compromised and can’t be trusted”
Anyway, my current guidance / statement is this:
Do note that our build process doesn’t allow the bootloader to be relocked, so we sell them with the bootloader unlocked. There will be a message at boot to this effect, but never fear: your personal user data is always encrypted and secure with modern Android! It can only be accessed if your lock pin / password is compromised or if you are the unknowning victim of a “deep-state-like attack” leveraging a targeted “Pegasus-like zero-day” exploit on the phone. Note that users with locked bootloaders can equally be compromised by these same attacks, but the exploit would be detected the next time they boot. As always, the best defense for all phones (with locked and unlocked bootloaders) is to stay up to date with system and app security updates.
What I am trying to say is that a remote attack could leverage an unpatched exploit to compromise your running phone (where the data is unlocked when in active use). A locked or unlocked bootloader by itself wouldn’t make a difference in this case. But the locked bootloader user will notice if that exploit modified the system when they reboot as verified boot will fail.
It is messy, it is theoretical, but it is technically possible.