Exactly. The greatest risk to the average person is their credentials are obtained through a leak and 2FA helps mitigate that impact.

I know many people who still reuse passwords, which certainly have been leaked, and are probably protected only by 2FA.