I think it depends. Banking, primary e-mails, etc. are extremely important systems today, and they should bias towards security. Other platforms where we talk can take a more balanced approach, and more casual sites can lean towards convenience, if you ask me.
Indeed, the problem with lots of fallbacks is that they can invalidate user's requests for higher security. Security can sometimes end up being only as strong as the weakest link.
Make the fallback too lax and you might as well not bother with 2FA/Passkeys at all.
