There’s threats and there are threats. Second factors largely exist to prevent password stuffing from password reuse. Even if the second factor is the same device as the device where you are initiating a login this works just fine.

If your goal is to stay safe even after one of your devices is owned then you’ve got a rarer (and way more difficult) threat model.

How did this user Coinbase account get hacked anyways? Did they reuse passwords? Did the attacker even have passwords?