[woodruffw]

It's also worth noting that the "physical attacker" scenario is outside of most people's threat models, even if they think that it isn't: most people leave their physical second factors plugged into their devices or on their desks, and interposing between a user's computer and their keyboard doesn't require any technical ability (only the ability to plug and unplug a USB).

The risk with same-device (or same-manager TOTP) isn't necessarily in a physical adversary (who's going to win anyways), but in a digital adversary who can run code (or read files) on one device but not several. That's one of the main reasons users are encouraged to use physical factors or, lacking that, an on-device factor that requires some kind of OS-mediated privileged interaction.