I could be wrong but I think the attack circumvents this. As the attacker would receive a users JWT token the 2FA in the login process is moot. Still better to have it enabled in general tho.
Without knowing too many details, I believe it won a bunch of UX design awards and its previous user base (which included me) is quite loyal. So it makes sense. 💡
