Yes this whole thing is absolutely predicated on the concept of "if you lose access to your email you already have much bigger problems". But for me at least that's true.
The phone app would be more secure, but that's much higher onboarding friction than an email address, which everyone already has.
For lost email I'm inclined to agree with you. There would need to be some mitigation there (encourage or enforce users to have a backup email, etc).
But for stolen email credentials, one of the first things an attacker is going to do is start going through your email archives to see what services you use, resetting all your passwords to important services.
The phone app would be more secure, but that's much higher onboarding friction than an email address, which everyone already has.