When I got asked that once, I told them they should bring me their laptop. 10 minutes tops and I'll have access to their files. They really didn't know, if I was bluffing or not.
(I wasn't. The average laptop is genuinely that badly secured.)
Almost every personal computer that isn't a MacBook is poorly secured due to the lack of filesystem encryption as a default. No one encrypts their data at rest, and as such you just have to pull their drive and read it with another computer. Hell, I don't encrypt my entire file system despite being aware of this because of the inconvenience of added boot time, but everything that matters is encrypted and backed up across multiple devices.
The best thing anyone can do is keep the amount of critical, digital data they have to a minimum, keep that data encrypted and backed up, and use a password manager properly. That alone makes it exceedingly unlikely you will ever be a victim of cybercrime solely because you're more of a pain in the ass to compromise than 99.9% of the world.
I personally have almost 10TB of data between all my systems, but of that maybe 10 MB is actually valuable to anyone but me.
Do you know the wonder that is konboot? It works on every version of windows with old school offline accounts, it even works/worked on Linux and it leaves no trace.
There's literally an open source tool suite you can flash on a thumb drive, stick it in a sleeping notebook and get access to it. Sadly don't find it anymore.
I can guarantee you that someone in the Facebook HQ has their password on a sticky note. I bet they even think having it stuck under their keyboard means it's hidden.
Back in undergrad, before Facebook went HTTPS only, I would setup "free wifi" and steal people's cookies for shits and giggles. Use the cookies to authenticate with FB and send random messages to people.
Looking back, I probably shouldn't have been doing that. Definitely illegal.
They were just barely starting to get serious about legislating cyber security, so you were only maybe breaking some laws. I remember in the 90's it was a lawless land. There were no laws against hacking, or at least none that anyone understood, and most sites had terrible security. I gained access to someone's Hotmail once just by trying "anon/anon" as a user/pass combo. I also used to gain access to e-commerce customer databases just by googling certain SQL strings. I'd poke around and then send the webmaster an email letting them know their site was vulnerable.
Had a random guy that I spoke to at a bar ask me if I could hack a university to forge a degree for him when I told him I work in IT. Even if I could do something like that, it seems like a really risky and unethical thing to do for some rando at a bar.
I once had the knowledge how you could hack a government system to get free fishing licenses. Seemed like a high risk / low reward type of deal though.
I got this from a service technician once. He was like, "So you know code? Say I had my wife's phone, but not the password. How could I get into her Facebook Messenger??"
And I was like, "... So can you fix my drain line, or no?"