It depends. If your iMessage account is tied to an Apple ID used on multiple devices with 2FA enabled then the code is sent to one of those other devices to validate the login on the new device. So if you are fully in the Apple ecosystem and have 2FA enabled then I believe it would be secure. I know I get alerts on my other devices any time I have had to re-add my phone number to an Apple ID. It tells me my phone number is now being used on another device. So at the very least you would probably be notified.
iMessage is only tied to an Apple ID for the e-mail part (where they can send iMessage to your e-mail). The phone number part is independent of that and you can take it over provided you prove ownership of the phone number (by inserting the SIM into an iPhone, it'll send an invisible SMS to Apple and back and that then activates iMessage on that number on that new device).
