So you also need to make sure that your phone's browser doesn't have your Google password stored, and/or your phone's storage is encrypted with a strong-enough key.

Google has made me re-enter my password when modifying 2fa settings.

Sure, but if it's saved in the browser than it can be extracted from the browser

Last I checked, this was not the case- And a major cause for concern.

Everytime I go to https://www.google.com/settings/security and click on 2-step verification, I'm required to enter my password if I haven't done so in the last 5 min or so.