Ironically, Authy's cloud sync feature may have been what pressured Google to add cloud sync[1].
And yes, Google could have added an extra encryption password. But users forget/lose passwords, especially if they normally never need them. So I can see why Google didn't go that route.
