Accessing TOTP or passwords in the iOS built-in password manager requires someone to (1) have your phone; (2) pass a biometric authentication or a passcode authentication.
My threat model doesn't include Apple or Google, the maker of the operating system. If you assume they could push an update to the built-in password manager, you need to assume they could push a keylogger that exfiltrates both your regular password and the password for your TOTP app.
Fair enough. They're who I'm mostly worried about.
I've got the Google apps in a sandbox, so I think if they pushed such a thing they could only spy on my logins with them.
Not that I have supreme faith in GrapheneOS to keep google in its box on a device that google made, but I do hope that it represents enough friction that I get excluded as an outlier from whatever abuses occur.
That's the two factors right there.