With any contemporary OS, it is a mistake to think that a login password on its own provides any protection whatsoever against an attacker that has physical access to the system. Since he has physical access, he can simply take a copy of hard drive, contents of which he can peruse at his leisure, without needing to know any of passwords of any the users. And nobody may ever know that the copy was taken.
In contrast, an attacker who changed the password would be a bit dumb, as he’d have no way of changing it back again.
As has been suggested, the protection in this scenario, if your data needs to be kept private, is to encrypt your hard drive using filevault That’ll stop a passer-by from snatching the data, and the simple “resetpassword’ process won’t work either.