But nowadays, a lot of people use the same credentials on the phone just as well, and with everything asking to install their app, I’m not sure the attack surface really is smaller anymore. So, if you’re in this scenario, I agree with you that you may not be sacrificing much by having 2FA on desktop.

This makes sense and puts holes in my statement. I also feel like more people are willing to install shady stuff on their phones than their desktop now. I have no sources for this though.