AFAIK biometrics are only used to unlock the device’s keychain. So, in other words, it’s no different than using fingerprints to unlock your password manager (via the device’s keychain that has your actual password).

They’ve violated the licenses

Did they? Because as far as I know they’re complying with the GPL and other licenses, since everybody that gets their RHEL license (and the software/binaries) also gets the sources. Or am I mistaken?

I don’t think the license says ‘grant everybody a copy of your source code’, only the ones that actually bought access to the binaries RHEL provides