[_verandaguy]

>It seems like a limitation of this attack is that you must have the camera pointed at the keys ~1 minute from the last time it was used. (Presumably because the heat dissipates quite quickly.)

An attacker could just stick a camera into a dark corner of a room and have it run perpetually. Video exfiltration might be an issue but certainly not insurmountable.

RE: your second point: that's true, but the point of TOTPs is that they expire before they can realistically be guessed (assuming rate limiting on the TOTP server).