IMO this reduces the protection of 2FA significantly. For me 2FA is primarily not having a single device that's enough to compromise to get access to your important accounts. This means that I never have both factors (password and TOTP key in our case) on a single device. That's why

> they've already got my Google Authenticator or whatever DB as well anyway.

is of course good for them, but they still need to get my password from my other device.

If your device is compromised to the point that someone is reading out the content of non-online, encrypted DBs, or keylogging aggressively, then they've also got your email and can much more easily just send a password reset to 90% of everything out there.

2FA as the internet uses it has always been about dealing with accidental disclosure and public PCs.

As an owner of Xiaomi phone I consider all data on it to be available to mid- and high-profile parties at least in China. Which might eventually leak into my country as well.

That's why my phone doesn't have any bank software installed and doesn't have any password saved. It is logged into my google account though to which you probably can restore some passwords, but for all resources I care about (banking, investements, crypto, etc.) it's not possible. I also use separate email for those. If my HN or reddit account will be compromised via my phone - so be it, I don't really care. I can also tolerate compromised 2FA app as it's useless without passwords which are stored on another machine.

For most of us 2FA as it is works fine. Until I become a CIA operative or drug dealer I suspect the current setups are fine via companies like authy, 1Pass, and google auth.