But then you can protect against both keyloggers and stolen laptops by enabling TOTP 2FA. You can even require all three!
I have a bastion setup somewhere in my network that's locked behind either an SSH key or a password + TOTP token for when I lose access to all devices with a signed SSH certificate. All devices are encrypted and I don't lose sight of them in public so my threat model would include "the police" and "people violently breaking in and stealing my stuff" but a password isn't going to protect me from that.
I have a bastion setup somewhere in my network that's locked behind either an SSH key or a password + TOTP token for when I lose access to all devices with a signed SSH certificate. All devices are encrypted and I don't lose sight of them in public so my threat model would include "the police" and "people violently breaking in and stealing my stuff" but a password isn't going to protect me from that.