Also, TOTP is kind of secure if you never log into the website from the device that has the authenticator. Otherwise, it is pretty vulnerable to attacks that target the client.

IMO the real issue here is that almost all websites consider that email is a good way to verify the identity of someone when they want to reset their password, while in reality email is a terrible medium. Attacks on the DNS work, and a lot of SMTP traffic is still plaintext. The way to secure email is to encrypt and sign at endpoints but of course websites don't do this in the reset password flow.