Hey,
Proton Pass is open source and has now passed an independent security audit (by Cure53). The Android and iOS apps source code can be found here, the browser extensions source code for Firefox and Chrome-based browsers (including Edge) can be found here.
Proton has also completed an independent security audit conducted by Cure53 for all Proton Pass applications and browser extensions, along with the Proton API. This was a “white box” audit, meaning the security researchers were given full access to the Proton Pass source code, along with full access to Proton Pass engineers.
More information can be found in the blog post over here. The audit report can also be found in the blog post.
Personally I don’t use 2fa in my password manager unless it’s something I don’t care too much about securing because of everything you said. I use bitwarden but they offer the same service. My boss uses it and I can’t understand why he would trust one password to secure literally everything. Seems too easy to hack compared to keeping 2fa separate.