I wonder if it's possible to get 2fa via authenticator as a feature for the Joplin cloud management account? I somehow see sort of a risk here if a mailbox is compromised that the data is automatically at risk as well. Less security affine users might also be vulnerable to credential stuffing. Given the "knowledge" what is stored in notes these are an attractive target for attackers.
Yes it's going to be added soon. In the meantime you may want to enable encryption as this secures the notes even if your mailbox or Joplin Cloud password is compromised
If you use a good password, keep your password in a safe place, and check the connection for the correct url and site information when you connect to your cloud management account, your "simple" password (without 2FA) is just fine, will never be compromised, and your data is safe too. If you have doubts about this claim of mine, read up on 2FA on Bruce Schneier's site.
Well sadly no and it’s not enough. Nearly every corporate process demands a second factor of authentication for external services, it's state of the art for a reason. Especially if accounts have admin capability. You cannot assume to be safe to human error or immune to phishing etc., especially not in a multi-user environment with less IT-affine users. Just relaying on a "good" password can get you faster into issues as you might expect. There is also no way to really avoid password re-use in your userbase. If a service does not offer such a feature it’s simply not useable for many commercial users. So it's pretty good to heard that this is going to be added soon. Really looking forward to it.
Further reads: Multi-Factor Authentication | NIST
Just because many people (or organizations) have decided to follow the heard, does not mean they are going down the best route. You have stated your stated your opinion, I have stated mine. All fine with me. But if you are interested in the limitations of 2FA (shouldn't everyone be ?) then read Bruce.