The reference I tend to use (NIST-800-63B-3) states that complexity and forced changes weaken security because they result in poor choices (e.g. Password1!). The recommended mitigation is to eliminate complexity and maintain strength by increasing length. Nowhere does it postulate that MFA is a license to accept decreased password strength.
800-63B also states “Memorized Secret Verifiers … SHALL force a change if there is evidence of compromise of the authenticator” (§5.1.1.2). In this case, the evidence is that someone formerly authorized still knows the password.
Having the TOTP master key in the vault is violation of MFA. No matter what you do, the master key may leak from the client application.
I already described a solution here[1], the solution requires a change in mindset of all password management products of what the meaning of keys are. Interestingly this is exactly the service they try to provide while lack the understanding of the implications.
Having the TOTP in Bitwarden at all, let-alone with the secret key visible, reduces out-of-band 2-Factor Authentication to a shared-factor 2-Step Authentication.
Bitwarden have a lot of very smart people who understand this and its implications, and I suppose their thinking is that users exercise their own choice, on the basis that 2-Step is better than 1-Factor. I am not sure all regular users understand the implications.
Personally, I lean on the side of caution and keep my 2nd Factor out-of-band. I have been a target of a nasty multi-vector cyberattack in the past. Cybercriminals only have to be successful once in a persons lifetime, and they can wipe people out.