If your key ring included a teleporter that could steal all your possessions with a single button click, then yeah.

If someone steals your keys, they stil have to find a time when no one's home, and it's still hard to steal things from a physical location quickly. Once you notice your keys are gone, you can call a locksmith and rekey the house.

That's why the article recommends a time delay. There should be enough time to realize that your access has been compromised, and nothing destructive should occur faster than that time limit. Ideally, the time limit should be configurable, so you can go on a vacation and know that even if someone hacks into your email the day you leave, nothing will get committed until your return.

Does any company in the world do something like this? If not, why make it sound like Heroku is doing something bad by not having it?

I don't think expecting people to protect their email and TOTP secrets is unreasonable, but it does go to show how vulnerable you are if your unlocked phone is stolen and you don't react quickly.

Don't give your phone to people you don't trust if it grants them this kind of access, and if somebody gets a hold of your phone or you lose it, change your passwords.

My impression was that Heroku was an example with a lot of impact, not that this was calling Heroku out for sub-standard practices.

The problem is that standard practices are lacking.

Believe me, I'm no stranger to flaming service providers, but I'm inclined to blame the user for not being sufficiently disciplined here. The service provider shouldn't have to make all these kinds of guesses about what you can access and within what timeframe.

Exactly. This isn't specific to Heroku at all.