[justadudeama]

Not saying this isn't important data, but at some point does 2FA make this an innefective method to spy on your citizens? If I have 2FA on my Amazon, if the CCP tried to get into it I would just get a notification with a code, and do nothing except maybe change my password. Additionally, there are probably all sorts of account logs saying "this is who logged in when from what IP address" that are associated with a lot of these accounts.

Direct access via the companies themselves is probably much more valuable today.

[tialaramex]

SMS-based 2FA is pretty weak, I think you can reasonably assume that a resourceful government adversary can silently divert SMS codes intended for your phone to their systems.

In the case of China in particular we know that part of the "Great Firewall" have IP addresses associated with Chinese residential ISPs, whether those are "hijacked" or the relevant agency just asks nicely we do not know. So it may be that "Chinese central government intelligence agency" and "My neighbour's WiFi" are similar IP addresses if you live there.

But yes multi-factor authentication can reduce the impact of credential stuffing attacks.