You are fundamentally correct: to make your passwords safe from hackers you are making them harder for yourself to access (in this case by requiring MFA). Accessing your passwords now requires having access to a device (your second factor).
There are recovery mechanisms that you can set up ahead of time (a series of recovery codes for example), but for the most part I would agree with your premise: you will have a very hard time accessing your accounts if you ever lose your primary devices. For me the security benefit is worth the inconvenience.
wrt your first point you are absolutely 100% right, and I said so in the article. I agree that failing to manage my login permissions exposes me to problems. But a system that makes it this easy for people to get screwed is a bad system. In my case the only downside is that I get annoying emails - but giving inbox permissions on fb or email exposes you to huuuuuge problems. People keep all kind of things there that they shouldn't - passwords, I'll bet you have ten friends with their social security or all kinds of PHI in their gmail. In my case I take responsibility for the silly emails I get because of it. I also go through fb and google permissions and cull them, but that is not always enough, especially if you're facing a malicious site. But my problem isn't how this affects me, it's how it affects users who don't understand the danger here - which is most people. Some people think the answer is either "everyone learns to code or everyone loses control/rights", but I think that doesn't make sense. You don't expect everyone who drives to fix their cars themselves, and when one breaks and hurts them you don't mock them for their carelessness in getting such a complicated piece of equipment (I hope). We always abstract complexity away from new technology so that it can be used conveniently and safely, which is great. In the same way I think people building complicated web tools should do so responsibly, so that their users don't expose themselves to problems by using them. You don't have to abuse access permissions to make a great tool, and I'm willing to bet that these controls will get more and more tightly controlled to keep things like this from happening. That's exactly what happened to Facebook's messaging api, which no longer permits developers to problematically send messages, to prevent spam.
