I don't think you should feel safe just because you have 2FA enabled. Local malware can wait until the next time you have to provide your second factor, and then use it to disable 2FA, etc.
My main takeaway from looking at some of the repositories is that they are deathly afraid of being run in a VM, because they think that means someone is trying to reverse engineer them. (Which I suppose makes sense; test untrusted software in a VM, if it doesn't do anything evil, then run it outside of the VM.)
At the end of the day, running local exes is about trust. Having 2FA enabled reduces the attack surface you have exposed, even if it doesn't eliminate it as you point out.
My main takeaway from looking at some of the repositories is that they are deathly afraid of being run in a VM, because they think that means someone is trying to reverse engineer them. (Which I suppose makes sense; test untrusted software in a VM, if it doesn't do anything evil, then run it outside of the VM.)