Does any company in the world do something like this? If not, why make it sound like Heroku is doing something bad by not having it?
I don't think expecting people to protect their email and TOTP secrets is unreasonable, but it does go to show how vulnerable you are if your unlocked phone is stolen and you don't react quickly.
Don't give your phone to people you don't trust if it grants them this kind of access, and if somebody gets a hold of your phone or you lose it, change your passwords.
Believe me, I'm no stranger to flaming service providers, but I'm inclined to blame the user for not being sufficiently disciplined here. The service provider shouldn't have to make all these kinds of guesses about what you can access and within what timeframe.
I don't think expecting people to protect their email and TOTP secrets is unreasonable, but it does go to show how vulnerable you are if your unlocked phone is stolen and you don't react quickly.
Don't give your phone to people you don't trust if it grants them this kind of access, and if somebody gets a hold of your phone or you lose it, change your passwords.