A system being secure doesn't mean that the user doesn't have control. The operating system should allow the user to control it, but only in a secure way that doesn't compromise the rest of the security of the system. The Windows way of having an administrator account or Linux of having a root account given to the user has been proven over time to be worse for security. Windows has been trying to roll back this mistake, but most Linux distributions don't do anything because they don't care that much about security compared to an operating system like Android.
I wanted to extract some data files from an app I was using and Google's Android told me that I was not allowed to do that. That was the apps data not my data.
It doesn't really matter root/fine grained permissions. The fact is that on stock Pixel phones the user can't access whatever data they want. So in practice they don't have control.
And the alternative is taking a picture of the QR code.
> Additionally just because someone is using a device that doesn't mean that the current user is the owner of the device.
Yeah that's why you make the owner authenticate. It would be ridiculous to use that as a reason to make escalation impossible.
Furthermore nothing prevents you from just taking pictures of the individual enrollment keys and printing those out either.
If you want TOTP 2FA that actually follows a one key per device policy you need to buy hardware tokens with some kind of out-of-band keying mechanism and enroll those. Then your problem changes from "how to stop people from copying my 2FA tokens" to "how to not get locked out of my account when my 2FA key device breaks."