I'm hoping someone can help me find the specific text (or something close enough) in a guideline that matches up to Apple's rejection. So far I've come up empty with my searches.
Guideline 4.0 - Design
We found that your app or app extension requires users to unlock app content using Local Authentication, which is not a permitted use of this framework.
For context the app is related to mental health reporting by the user and part of the design spec was to provide as much privacy and security as possible. After login, when the user backgrounds the app I'm adding a modal that dismisses once the user authenticates with TouchID or FaceID (this option can be turned off if the user desires).
It may be that I'm just missing the text but my particular use case doesn't seem particularily onerous and for the record this same app passed beta review once already today without this issue being presented. I've also used this technique in the recent past in another privacy concious app that was allowed in the app store.
I've also asked the review team to point me to the text where it explicitly states this use is disallowed. If they respond I will update my post appropriately.