My bank and my wife's bank both require 2FA. On the app, one of the Fs is having physical access to the device (the phone/app, which was vetted by the bank when the app was installed). On web browsers, these two banks don't offer any factor like that.
In end effect, the banks treat a non-rootable device as suitable as a "something you have" factor, but will not treat a rootable device as that.
In end effect, the banks treat a non-rootable device as suitable as a "something you have" factor, but will not treat a rootable device as that.