If someone knows your username and password and can convince you to give them a TOTP code, then yeah they can log in to your account. That’s hardly iCloud-specific.
iCloud Passwords is more secure than that. Even a TOTP code and password is not enough to initiate a password sync. You also need to biometrically authenticate a previously synced device
Thinking about it, what happens if you lose your eyes or your fingercups(say for example from frostbite). Are you just screwed or is there a recovery method