As GitHub's chief security officer Mike Hanley said, the software supply chain starts with the developer, and protecting developer accounts helps secure the supply chain.
With 2FA enabled, when logging in to your GitHub account, you have to enter your password as well as providing other factors like OTP. It can help prevent your accounts from being stolen due to password leakage.
Even if you temporarily lend your phone to someone else, you don't have to worry about them abusing Autofill to sign in and spy on your accounts.
After you scan the QR code to confirm filling, your password, OTP, and so on will be encrypted on your mobile app first, then sent to the cloud server via a mobile browser, and finally arrive at the extension to be decrypted and filled in.
ID Guard Offline Autofill can identify fake apps, display the requested information, automatically match the filling account, etc.