What would a physical token give you that totp doesn't?

Edit: wait, did the attacker intercept the totp code as it was entered? Trying to make sense of the thread

The attacker installed a RAT on the contributor’s machine, so if they had configured TOTP or saved the recovery codes anywhere on that machine, the attacker could defeat 2FA.

	▲	yjftsjthsd-h 16 minutes ago \| parent [-]
		Oh, yes, I missed that the TOTP machine was compromised:\ Would that then imply that it would have been okay if codes came from a separate device, eg. a TOTP app on a Palm OS device with zero network connectivity? (Or maybe these days the easiest airgapped option is an old android phone that stays in airplane mode...)