>Generally the threat model that TOTP protects against is not someone breaking into your device.
And yet, in some realistic scenarios TOTP does protect me against that, if the second factor is on a different device, kind of like a poor man's yubikey.
Not if I'm on your device and hijacking your already-authenticated connection. I just need to be careful enough to do it in the background in such a way that you don't notice.
If my device got stolen I would remove the device from my accounts immediately. And without the second factor you wouldn't be able to do anything about it.
And yet, in some realistic scenarios TOTP does protect me against that, if the second factor is on a different device, kind of like a poor man's yubikey.