2. This for me is also the weak point, that most people use 2FA on a device, exposing them to at least the Password axis you mentioned. Myself I use a Google Authenticator for 2FA, as an extension only linked to 1 browser account. Browser and extension are uninstalled quickly after use. And means I could recover all my online accounts quickly from a new device with 2FA and change passwords. I expect this method opens me up to other vulnerabilities... anyone care to share?
Are you using an extension to get the 2FA code? That is not how it is meant to be used. 2 Factor means, it's the second way of proving it is you. THe first way is password. And if you use your 2FA this way, then it's really only 1 factor. The use of the 2fa seed in many places will increas the chance of it being stolen. You could just install a 2fa app on a phone not connected to the internet.