One thing you can generally be sure about, no matter what changes they go through: They won't ruin their own services and income-streams. Removing cookies? They have replacement for that in their browser that no extensions will be able to help with. Removing sign-in methods? Within their ecosystem they pass whatever token they want, wherever they want.
Not really. You just need to use the apps specific pw that you can obtain from your account security page. I just did this for a bunch of Gmail accounts that have aliases setup to send out from custom domain email address.
The only change is that you have to enable 2fa to obtain an app specific pw that you then use to setup the alias or to log in into your google mail via the less secure app of your choice.
Note that there is no need for a phone number to setup 2fa as you can instead use the option of one time login codes and then validate access from your phone using any google app such as the gmail.