If you don't have 2FA enabled, it seems that Google will now sometimes arbitrarily choose a previously logged in device or previously associated phone number and require 2FA through those, so having it disabled can be even more dangerous.