I think you're letting perfect be the enemy of good. It doesn't have to be pure 2FA to be better than 1FA. Being in separate apps does give some benefits. It's always going to be harder to compromise two apps than it is to compromise just one of them (even if the difficulty increase is marginal, it's non-zero). Often simply not being low-hanging fruit is enough to save you from an attack.
There are plenty of things for which a 2FA in PW manager is fine, but the most important things I think it's an unnecesary and regretful reduction in security. For example, email account. Email is the "forgot password" way to get access to almost everything, so it's worth a trifling inconvenience in having to load your 2FA into a different app. Same with things like AWS, Cloudflare, and other high-value targets. For the vast majority of people, keeping your Twitter seeds in your PW manager is fine, but it's foolish to do that with your email and other high-value targets, and IMHO if you're already going to have to have two apps, you might as well just standardize and keep the seeds in your authenticator app, and your passwords in your vault. YMMV
I did read your second paragraph. There is some ambiguity, but I ultimately decided you weren't agreeing with me because you said (emphasis added):
> I think 99.999% of the time storing your 2FA codes in your PW manager, or just moving on to Passkeys, is the right answer.
If you're storing your 2FA codes in your PW manager, then you're NOT using separate apps. You're using the same app (your PW manager). My argument is that you should use separate apps for the things that matter, like your email (which can be used to get access to almost every other account), and since you're already using separate apps for those things, you might as well just be consistent so you don't have to remember where each TOTP token is stored.
I see three levels we've discussed:
1. Pure 2FA using hardware token or equivalent (which I agree is rarely needed)
2. Impure 2FA but separate app for storing passwords and TOTP tokens (which I'm advocating for)
3. Storing TOTP tokens in PW manager (which you appear to be arguing for in 99.999% of cases, which is basically all of them)
If you are actually advocating for level 2, then we agree, but from reading your 2nd paragraph it seems pretty clearly to be arguing for level 3.
There are plenty of things for which a 2FA in PW manager is fine, but the most important things I think it's an unnecesary and regretful reduction in security. For example, email account. Email is the "forgot password" way to get access to almost everything, so it's worth a trifling inconvenience in having to load your 2FA into a different app. Same with things like AWS, Cloudflare, and other high-value targets. For the vast majority of people, keeping your Twitter seeds in your PW manager is fine, but it's foolish to do that with your email and other high-value targets, and IMHO if you're already going to have to have two apps, you might as well just standardize and keep the seeds in your authenticator app, and your passwords in your vault. YMMV