None of the users created by the LXC templates come with passwords, so as far as traditional login, all users are disabled.
lxc-attach does not go through the PAM stack, it just spawns a process as root in the container, whether the root user is enabled, disabled, defined, whatever… doesn’t matter at all.