I guess you’re not familiar with AitM attacks. But replay attacks don’t even require sniffing of network traffic — a simple phishing scheme will allow an adversary to get access to passwords for replaying, not to mention info-stealing malware that can grab passwords and/or session tokens.
That is an overstatement. You are hyperfocused on a single attack vector (the complete compromise of a user’s Bitwarden vault), which is very unlikely to occur if one takes common-sense precautions. Other Bitwarden users may have more diversified threat models, which would include more common attack vectors for which passkeys and TOTP stored in Bitwarden do provide adequate hardening.
So it’s while perfectly fine for you to set up your security precautions to align with your own idiosyncratic threat model, your recommendations and opinions do not necessarily apply to users who have a completely different threat model.