It's the same thing with Apple Passwords.

TOTP isn't that great, you should definitely use a hardware and/or pass key for important and financial services. That said your cloud synced Google Authenticator can be behind a Google account with strong 2FA (i.e. not SMS nor TOTP), then it's mostly fine.

The lesson here is really not to ever share codes you receive by SMS, and preferably disable phone as recovery and second factor.