2FA is about having a factor which
changes everytime you use it so if the medium is intercepted somehow the account isn't permanently compromised.
It's protection for when using untrusted computing devices, or because most people have their passwords in some way visible or shared.
TOTPs can't be reasonably made much longer then they are while still usefully entered, but my password database never leaves my own devices and neither does the password to it.
If someone compromises my phone to the level they can get that database, then they've already got my Google Authenticator or whatever DB as well anyway.
