Absolutely, a state-level opponent could get up to some shenanigans though I would argue that a state has much easier methods to go cracking into my Visa card. My threat model doesn’t include nation states targeting me specifically because, simply, if one comes after me I am screwed anyway.
As for email being unencrypted, I think most of it now is encrypted during transit (thanks to the Big Two providers knocking points off a spam score if a message does come via TLS) and even if it weren’t the password is also not known so the second factor is not useful. For example, I just tried to log in to chase.com and the code they emailed me at 1752 MST is 067315.
If I’ve been phished so hard that posting this is useful, again I’m screwed.
As for email being unencrypted, I think most of it now is encrypted during transit (thanks to the Big Two providers knocking points off a spam score if a message does come via TLS) and even if it weren’t the password is also not known so the second factor is not useful. For example, I just tried to log in to chase.com and the code they emailed me at 1752 MST is 067315.
If I’ve been phished so hard that posting this is useful, again I’m screwed.