There’s a couple things here.

First, SMS isn’t end-to-end encrypted, but it is encrypted over-the-air. An attacker with radio can’t just intercept your SMS messages. It can be intercepted by your carrier, someone who’s hacked the carrier, or someone using a stingray (eg: the police) who’s convinced your phone to connect.

Second, “2FA” literally means “second factor authentication” — there’s already been another factor used to initiate this action, which is usually a username+password.

This means to successfully attack a user’s account on a service using 2FA:

1. The attacker needs to know the username and password
2. The attacker has to have inside access to the carrier’s network equipment OR the attacker has to have a stingray and be nearby to have your phone connect to it

This significantly reduces the chance of a successful attack.

The real problem with SMS 2FA:

* SIM swaps are too easy — this is where someone basically steals your phone number by pretending to be you and getting the number transferred to their own device. Sometimes this is social engineering, sometimes it’s via an insider working for the phone company, sometimes it’s hacking the carrier.
* Too many places don’t actually use this as a “second” factor, especially for password resets. The most common exploit is an attacker starts a password reset request, verifies the SMS (usually via SIM swap but could also be another hack), and then sets the password to whatever they want, and now own the account. In the case of an account take-over, they’ll change the SMS and/or email address to ones they control and you’re totally locked out.