A really important concept in security is that of a threat model. Basically, you don’t design security measures around any and all attackers, you have to design it around the sort of bad guys you actually expect to face. Doing otherwise is a waste of resources.

E.g. if you have a shop, putting alarm tags on products is effective at dealing with shoplifters, but will do nothing against armed robbers. That’s okay, because, for most shops, shoplifters are a real problem but armed robbers really aren’t. Bullet proof glass and armed security are incredibly pointless expenses for Primark. If you’re a jeweler, though, you are in the business of selling sufficiently valuable goods that an armed robbery becomes a concern.

For most people, having recovery codes in a file on their computer or phone (or even written on a piece of paper on their desk) is fine, because the purpose of 2FA isn’t to deter the people who might get access to your computer or phone, but rather to deter random people online who managed to guess your password somehow.