They would also need the password, not just OTP to gain access because it's really a two-factor, but also the risk of permanent loss if you lose a device is too extreme, so would still need some alternative restore mechanism, at which point an encrypted sync is a much better alternative
But it's called two-factor because it's supposed to be two independent factors to get into your account, so saying they would also need the password to get into the account makes no sense. The assumption that the password is known is baked into the principle of 2FA.
I also don't think it's true that you're locked out of your account permanently if you lose your OTP entry. Even the shittiest websites will have a reset mechanism. Also - backup codes?
Your device, as well as another device, and yet another - are all independent "something you have" factors from "the password you know".
And adding new device can be restricted via 2FA old device
And I've addressed the backup codes - that's the alternative mechanism that's no better than the sync. Also, backup codes are not 2FA, so if you're so strict about 2FA you don't even allow sync, then you can't have them, thus permanent loss
