I can’t agree with much of that, if any. I note you picked a pretty silly fake URL - www.creedthoughts.gov.www\bit-warden. And glossed over vault.bitwardem.com. Be honest, did you even notice it was wrong? Honestly?
And your comment “But again, it wouldn’t for sure know what 2FA you use, if you use one at all.”? I’ve no idea what you are thinking. The hacker doesn’t need to know what sort of 2FA you are using. If it’s a TOTP from an authenticator app, from a Yubikey, from a text message or from anything else… it doesn’t matter. It gets intercepted, used, logged in and your passwords stolen.
Your suggestion that if people are duped or are not careful enough, that therefore they should not have additional protection to help them in such circumstances? Well that’s just ridiculous.