[goupil]

If your 1password is compromised, then loss of the password would mean loss of the TOTP, in which case TOTP doesn't help.

But there are other scenarios where your password could be stolen without someone getting access to your 1password, for instance if your connection isn't protected and a man in the middle can intercept your password.

In the end, I would argue that having TOTP in the same place as your password is weaker than having it somewhere else, but it's still better than no 2FA

[tempestn]

Another one would be a password change attack. TOTP in 1pw protects you against almost all of the things TOTP normally would, except an attacker somehow gaining access to your vault. But in order to gain access to your vault, they would almost certainly need access to one of your unlocked devices, thanks to the 1pw secret key, which is required in addition to your master pw to unlock the vault on a new device. And if they have that, thrn they would have your second factor even if it were in a separate app.

[microtonal]

But there are other scenarios where your password could be stolen without someone getting access to your 1password, for instance if your connection isn't protected and a man in the middle can intercept your password.

Then they could also intercept your TOTP code, which is valid for a pretty long time by default (remember that the TOTP code is accepted for some time after the counter goes to 0 to account for transmission delays, slightly out of sync clocks, etc.) and use that to log into your account.

TOTP does not protect against modern forms of phishing. You need something like FIDO2.

[goupil]

That's a very valid point, as an automated attack could then be performed. I guess it would at least help against an attacker that would be manually checking what's inside the packets captured, or that would let his attack passively capture everything for a while and then proceed to attack.