Do I blame or think PyPI did anything wrong? No. I think everyone has the best intentions. I just think arbitrarily declaring someone work 'critical' without some involvement from the users of that developer's work is going to cause problems and not actually solve the issue. PyPI doesn't really have access to the information needed to declare something critical.
PyPI maintainers selected their own, as they have every right to and they are not obviously stupid as they seem to be a reasonably good proxy for which packages would afflict most developers.
Personally, as a developer who both publishes and uses packages from PyPI, I'd love to know who finds 2 minute 2FA set-up too burdensome (and if you save it in your password manager, that's all you'll every have to do) so I can avoid their packages. I have little faith in maintenance of packages for which a minimal one-time effort (per account, not even per package) is too big.
PyPI's interest here is in the integrity of accounts that can publish PyPI's most widely downloaded packages. If you believe based on the chosen label that in the future, PyPI will come in and expand the criteria for criticality, then I guess that's possible? But it's not what's happening now.
