The idea is that the second factor, such as requesting a confirmation code via your email, isn’t actually known to the attacker, so they have no way to get a recovery code.

If they have you logging in with your email address, then also use that email address for 2FA confirmation, that’s just badly designed.