My recommendation for backing up 2FA is to print the QR code that you set up your phone with, and lock it in a very safe real world place. Do not keep a copy on a digital format.
I don't know of any CLI clients (that would be perfect with a Bash alias) but I just store the initial 'seed' passcode in my password manager. When setting up a new device, I manually enter that instead of scanning a QR code and it works perfectly.
If you store your 2FA recovery codes in the same place as your passwords, there is effectively no point in you having 2FA, because compromising one factor, your password manager, compromises both.
You are correct but in my use-case I have my browser remember the passwords and use a standalone password manager for storing credentials that I infrequently access. An exploit compromising the browser would next have to compromise the password manager's encrypted database.
Admittedly this is not perfect, but I am comfortable with the level of security it provides. I think it is also roughly comparable to users who have a 2FA app on their mobile and a password manager syncing to the same device.
