Over the top secure but not when it counts

First, perhaps understand the Apple Support Community is a user-to-user technical forum. Contributors here are all end-users, just like you. Other than the site Moderators, Apple neither monitor nor participate here. As such, if in posting here you hope to reach Apple, or for your comments to be seen by them, you will be disappointed.

With that said, there is a flaw in the current iPadOS security implementation that until recently also existed with iPhone. While a Bad Actor will (a) require physical access to the iPad and (b) have knowledge of the device Passcode (likely obtained by shoulder-surfing) - it is possible to first reset the AppleID and then disable the Find My service.

This flaw has been mitigated for iOS/iPhone through introduction of Stolen Device Protection - this feature being released with iOS 17.3:

About Stolen Device Protection for iPhone - Apple Support

While released for iPhone, Apple has inexplicably not released this security enhancement for iPad - this omission being considered by many to be both surprising and illogical; iOS and iPadOS are very closely related, share a common code-base - and being portable devices arguably have the same threat profile for theft and compromise.

Stolen Device Protection alone is not a silver bullet solution, but where enabled inhibits access to key security settings of the protected device for at least an hour - this delay providing sufficient time for a device owner to take action before a Bad Actor can attempt to reset the AppleID credentials and tamper with Find My protection. When combined with additional ScreenTime Restrictions (protected by a secondary Passcode), the device can be robustly protected from the vulnerability that you have encountered.

While Stolen Device Protection has not yet been released for iPadOS, you can submit constructive feedback to Apple via its Product Feedback portal. For iPad and iPadOS:

Feedback - iPad - Apple

If you would like to see Stolen Device Protection or other security enhancements introduced in a future version of iPadOS, this would be the most appropriate channel through which to direct your request.

Every feedback submission counts; until Apple receive a sufficient number of requests (or reports of theft leading to compromised device and AppleID account security), Apple may not assign resources to address the issue.

You’re not actually contacting Apple when you post on this forum as it is primarily a user to user forum. You would need to contact them directly or submit feedback via the feedback form. As far as someone being able to turn off Find My on your son device…they would have to know the password for the Apple ID associated with the iPad to do so…so it’s possible that it was someone he knows (or whoever set the password knows) and knew the password…or the password was something extremely easy to guess. And if they knew that info they also knew enough to act quickly with whatever they planned to do with the device. It’s also possible that the device battery died or was powered off versus Find My being turned off. Unless you received the email alert at the email address used as the Apple ID alerting that Find My was turned off (or if you also lost access to that email because someone knew the password to lock you out of it by changing it) then that very well may be what has happened.

If someone knows the credentials to anything then yes, losing access is going to happen if they planned to use whatever for nefarious purposes. That’s not an Apple oversight but a reality for anything where your passwords or credentials are compromised/known by others/easy to guess/etc.

this is the link

Product Feedback - Apple