Yep. Binding 2FA flows to email is risky business for a lot of reasons, but registrar incompetence might be the spookiest thing of all.

Same reason I dislike SMS based 2FA, or worse SMS/email based 1FA codes.

You dont truly own your cell number or domain. Meanwhile passkeys are certainly hardware I own, likewise my TOTP codes are stored and calculated locally.