Kind of.

Most attacks aren’t targeted. 2FA, even with a recovery code, requires an attacker to both get the password and get the recovery code.

Since recovery codes are only kept with the individual and the service it means that an attacker would need to hack the service itself, and if they could do that then they wouldn’t need your account credentials.

Most account compromises happen because of password reuse.

Here’s an example. I have an account on Website A and Website B. I use the same password for both.

Website A gets hacked and all the usernames and passwords are leaked online.

Hackers take the passwords from Website A and try them on Website B. Since I used the same password on both they now can login to website B.

Now if I have 2FA enabled on website B they login with the password but they don’t have my 2FA so they fail to login. Even if I had recovery codes with Website B the attacker still doesn’t have those because they weren’t stored with Website A.