SendGrid's policy (as stated in their first email) is that the support people shouldn't be changing account emails in this fashion. Even if SendGrid had 2 factor auth, who's to say the support guy wouldn't have just disabled that?
At some point someone has direct DB access and can do this. Sure, normal support people don't but this just makes the social engineering aspect a bit more complex, not impossible.
With TFA if the email got changed it would not make a difference. The attacker would need the second factor to rest the password and to log in. So the worst they could do is to lock out the account owner. The support staff being socially engineered is a different story, but yes this is a security hole in SendGrid's system and an easily patched one at that.