I think GP is actually saying that there's no way to prove that users aren't storing their TOTP secrets in a way that defeats the purpose of 2FA, such as right next to their passwords in cleartext.
This is why we encourage WebAuthn by default (and why PyPI is giving out free security keys): it’s much more misuse-resistant.
Ultimately, PyPI cannot prevent TOTP secret misuse. But we expect the overwhelming majority of users to not misuse TOTP, and a corresponding security advantage therefrom.
