I believe "Locked" can only be triggered by multiple incorrect password attempts into the user's account. That is why there is only an "Unlock" function available to the Admin.
Is there a reason to use "Locked" instead of "Deactivated" ?
From an Admin view, if they want to stop a user from accessing Okta, they can 'Deactivate'. If they believe the user's password has been stolen, they can send the user a Password Reset email. If there is more than one admin, and the admin sets a user's account to 'Locked' so they can't access Okta, then another admin may think it was just incorrect passwords and send a reset email.