This is a fair point. I tend to use a security key (Yubikey) or Duo Push when possible, I’m not a fan of the otp codes, especially SMS.
Speaking of attackers getting access to OTP codes, my mother was actually recently conned into giving hers to someone. She was trying to sell items online, and someone “buying” them wanted to “verify the she always real.” So she said they told her to give them the “Google Verification Code” that they texted her. 99% sure they were attempting to con her out of her OTP code. I immediately had her change her password and sign out all devices. Luckily she doesn’t use her Google account for much.