petitminion Well, one could bruteforce your password. Or intercept it somehow with phishing. Both are quite common scenarios these days and everyone believes not to fall into those strategies.
On the other hand, Funkwhale is a widespread software, it most likely runs on dozens of server, maybe even hundreds? There were attacks in the past where hacker injected some cryptoscam mining code and pushed it by doing a new release and I don't see any reason why one shouldn't try this at Funkwhale. Backups wont help in this scenario either.
I understand that its more complicated to use. This is always an issue, its always security vs ease of usage and there is no best approach, which is why I am starting this conversation.
I don't know the implementation of Gitlab, but some huge platforms don't require the second factor each time if they are confident its the same device at the same network anyways. Furthermore its likely your password manager is able to handle the second factor as well.
Sadly Gitlab does not allow us to require the second factor with a specific right, but we could handle those situations with groups I guess.