Lots of Xiaomi phones are 'rootable' due to many developers supports their devices (because the price/performance ratio is good for most people who don't want to spend $800 for a phone).

That being said, I doubt just because he installed a custom ROM somebody can expose his seed just like that. We'd need a lot of details from now on, starting from the apps on his phone, what security patch his phone is using, did he also load his wallet on another place previously, etc.