This has been looked at before, and tends to go round in circles of discussion. Another example thread is:
I do not find this concerning, as I have 2FA set up on my email, as should anyone who uses it for anything sensitive, which I would assume is everyone… I would not want extra friction on top of this, but if anything is considered needed it would be education and prompts to add 2FA to user’s email addresses, as this benefits them for everything they use.