John Connor, you are not paranoid, you are a responsible man.
Ignoring security leads to data leakage sooner or later.
No one has to break phpBB security, it's enough that the trojan steals the password from the admin computer or something else happens. 2FA in this case secures access, because the hacker does not have access to an additional codes generator, for example a phone with a Google Authenticator.
If double authentication was not good, nobody would introduce it. Currently, it has most financial services, including cards (3d-secure) but also IT solutions are going in this direction and as I wrote in principle, my entire hosting system at every login is secured with an additional code from the phone except phpBB.
Why in core? Because it ensures that the solution will be compatible and supported by the Team. Extensions are ok but sometimes the author stops making new versions and then all users have a problem, which we have experienced many times.