> So a user who cares more about security than convenience is going to take extra steps to secure iCloud Keychain like using two-factor with Yubikeys.

iCloud Keychain since the initial deployment of E2E encryption always had its own built-in 2FA protection outside your Apple account's own 2FA. You have to approve adding iCloud Keychain to another device with an existing trusted device OR you have to use your iCloud Security Code that you were prompted for when you initially activated iCloud Keychain.

https://support.apple.com/guide/iphone/passkeys-passwords-devices-iph82d6721b2/ios