Hmm, I see what you mean, although technically this is still a 2 factor compromise (Google account password + 2FA code). Just having one or the other wouldn’t have done anything. The bigger issue is the contagion from compromising a set of less related two factors (the email account, not the actual login).

Specifically, the most problematic is SSO + Google authenticator. Just @gmail + authenticator is not enough, you need to also store passwords in the Google account too and sync them.

Although, this is functionally the same as using a completely unrelated password manager and storing authenticator codes there (a fairly common feature) - a password manager compromise leads to a total compromise of everything.