If someone can login via your Apple ID, which means that the person knows username/password, and can also convince you to provide them with 2FA code that gets shown on your existing device, they can just add a new device to your account, and get passwords to sync to it.
If someone knows your username and password and can convince you to give them a TOTP code, then yeah they can log in to your account. That’s hardly iCloud-specific.
iCloud Passwords is more secure than that. Even a TOTP code and password is not enough to initiate a password sync. You also need to biometrically authenticate a previously synced device
Thinking about it, what happens if you lose your eyes or your fingercups(say for example from frostbite). Are you just screwed or is there a recovery method
Nope. Check the Apple documentation, that’s not how it works. Even if Mallory gets your Apple ID and 2FA code you still need biometrics from a nearby device to initiate password sync.
This is a special requirement for Passwords that does not apply to other encrypted data in your Apple account.
If someone can login via your Apple ID, which means that the person knows username/password, and can also convince you to provide them with 2FA code that gets shown on your existing device, they can just add a new device to your account, and get passwords to sync to it.