It's not because of the T2 though - it's because of the Secure Enclave holding the keys for disk encryption and firmware/kernel signatures.
They might have bundled them together, but the layer around the secure part is just another system - it doesn't make anything more secure. All it's functions could have been taken up by the main system.
The only possible security win is by making BridgeOS simpler and less likely to have vulnerabilities.
I'd still say it's a net gain overall†, although the Great Bundling is questionable and definitely concerning in terms of attack surface, yet the synergies when finding and fixing vulnerabilities should not be taken lightly.
†It's overall a good thing evil maid/law enforcement/whatever doesn't get to have trivial access to the user's device anymore.
They might have bundled them together, but the layer around the secure part is just another system - it doesn't make anything more secure. All it's functions could have been taken up by the main system.
The only possible security win is by making BridgeOS simpler and less likely to have vulnerabilities.