The system is setup not to reveal the secret once it’s set. Technical users can root their phones to extract the secret of course, but most users wont be willing to go that far.
You can of course set up a new secret & share it with multiple phones at that point. Not sure there’s much you can do to stop that using a software 2FA implementation. If it really matters, then a hardware token is the way to go.
It’s not a URI. The google-authenticator pam library generates an image that encodes the secret which gets echoed to the terminal as a QR-code. No internet access required - just a camera on your phone to image the code.
If you can take a photo of the code & re-use it, then you can initialise multiple phones with the same secret.
You can of course set up a new secret & share it with multiple phones at that point. Not sure there’s much you can do to stop that using a software 2FA implementation. If it really matters, then a hardware token is the way to go.