Real security is picking a unique password and not forgetting it. Letting someone handle your security by giving them your phone number in case you can't handle it was never a good idea.

Get a password safe, and don't forget your complex passwords.

2FA (through an third-party like an email provider or, even, dare I say it, an SMS provider; not TOTP) continues to protect you when your password is compromised by a backend-side database breach. They might get your password; they might get your TOTP token seed; but there's nothing in the DB that will allow them to receive an email as you and then click the link in said email.

Yes, allowing someone to reset their password through a second factor is bad; but that's not 2FA, that's two independent 1FAs.

This is a good distinction and absolutely right. The problem comes when people substitute good passwords for 2fa resets via phone. The problem with that is that the majority of usage now comes from the phone, so it's not really a second factor if you lose your phone. It's a complex problem that depends on the situation and really too complex to make a matrix of when it's ok for your average Joe. Passwords suck, and we still use them, because as a general rule, it's the best thing we have.