Pippo,
There is no 100% things in life, just degrees of it. A Yubikey is about as unhackable as you can get. I did see an article where someone hacked one, but they essentially had to have physical access to the key. Some day someone may find a way around it.
TOTP is 6 digit and have 000000 to 999999 or 1,000,000. Testing by a fellow community member Yuri indicate that you can enter 10 wrong choices before the account is locked for 30 seconds, but that is for each IP address. He indicated that you can use multiple IP can have multiple 10 attempts. If you have a bank of computers constantly hitting the same number over and over again, we may be able to hack the account after a long period of time. Bitwarden does not warned you if someone failed 2FA, so you may not know that this is happening. Basically, it’s secure, but maybe not if you have some government agency after you. In those case, maybe use Yubikey.