messenger.com is rolling out backup for e2ee messages. They require the user to set a 6-digit PIN to recover backed up messages on a brand new browser/device.

This amount of entropy feels way too low, and I would like to understand how it is designed so that Meta can't brute force the 6 digit PIN on their end to read the backed up messages.