[The_Colonel]

SMS 2FA is not great, but still seems to be more secure than a rooted phone.

If your SMS OTP leaks to the attacker, they still need to know the first factor (password, biometrics) to gain access.

Meanwhile, if your rooted phone is controlled by an attacker ... that's it, the attacker has everything.

[Too]

Fair. I still wouldn’t want to have such a fallback available by default. Being stronger than an even worse option doesn’t change that. Because it eliminates the security of the strongest option.