That's not true for SMS-2FA, since text messages are often delivered to the device with the browser. Safari on both macOS and iOS will offer to automatically fill in the code received from SMS.
I am curious as to how Safari connects the 2FA code to the web page. It would seem whatever they are doing could easily implement a database that maps 2FA SMS messages to domains, not only refusing to auto enter them on phishing sites; but warning the user they may be on one.
It doesn't; it offers to autofill a received code into a field on the page for a short time, but only actually fills it upon user interaction (so the page can't be sniffing for it via JS the moment it arrives).