[tialaramex]

SMS-based 2FA is pretty weak, I think you can reasonably assume that a resourceful government adversary can silently divert SMS codes intended for your phone to their systems.

In the case of China in particular we know that part of the "Great Firewall" have IP addresses associated with Chinese residential ISPs, whether those are "hijacked" or the relevant agency just asks nicely we do not know. So it may be that "Chinese central government intelligence agency" and "My neighbour's WiFi" are similar IP addresses if you live there.

But yes multi-factor authentication can reduce the impact of credential stuffing attacks.