There have been many attacks in Russia where attackers would get a duplicate sim card from the operator (either with a bribe or a forged passport) and then proceed to hack everything linked to it - gmail, banks, facebook, etc
At that point (identify fraud) there's very little you can do short of not allowing password resets. Even if you have a human customer support rep to verify your identity prior to resetting a password, you can just send your forged identity documents.
It think this is something that Google is working on. By capturing multiple "facts" about you a company can be fairly certain who is trying to access an account, apart from passwords and phones. For example, they can tell if you spend 99.9% of your life in one country and then suddenly request a password reset from another country. I'm sure there are lots of other minor indicators that are much more difficult to fake, but putting them all together they should be able to get a pretty good picture of who you truly are even without proper 2FA.
Probably the only thing you can do is to have a separate secret email or phone only for account recovery, which are not linked to you in any way, or recovery codes printed out and stored in a secure location