Not really relevant - if someone wanted to get into your N900 after you lost it, they could only get into your N900 to run recoverlock the following ways:

Reflash just the fiasco image first. The lock code isn't recovered, but it's disabled so they've bypassed it without recovering it. Your private/personal/important data is either erased (if it was in an area wiped by the fiasco flash) or still left on device (if it was in an area untouched by the fiasco image flash).

SSH in, if they can brute force, guess, or otherwise know, your SSH password(s) or key(s), and you have an SSH server installed. But if they can do that, they have access to all of your data without worrying about the lock code.

Just use the phone because you yourself don't have the lock code enabled (or they get lucky enough to catch it in a non-locked moment, and are able to do everything they need to do without letting it go idle and lock on them). In which case, they already have access to all your data anyway.

So, in short, there is virtually no use case where recoverlock is useful to someone who is trying to get into your phone maliciously. Unless they stole, say, your N900 and an iPhone or something from you at once, and you used the same lock code on both, or something.

It's the same argument that hits tools like aircrack-ng: people point to it and go 'omg now bad people can abuse it'. And to that argument, I would typically just say 'good uses justify it existing in spite the abuse potential' on principle and leave it at that, but in this case, it's even simpler than that:

Anyone capable of installing recoverlock on your phone and getting your lock code already has enough access to your device that they don't need recoverlock itself to do anything malicious.