2FA keys are easily stolen from a desktop with a password manager running in the background when running a malicious executable, vs. 2FA keys on a 2FA app on a phone and running a malicious app.

I don't know if this is true. A password manager should encrypt its data at rest, and exfiltrating a key from another process's memory space is non-trivial. At the very least, you'd need a privilege escalation trick.