Okay, but the attacker has RCE on the system doing the decryption, so they can scrape the encryption keys or the vault data out of memory. This appears to be a APT, probably a State-level actor. Once the production work machine was compromised, it's all over.

I get what you're saying, but the implementation of 2FA is still broken. If we don't fix that, we can't fix what comes next either.

I'm not aware of any 2FA that could be successfully integrated into a symmetric-key encryption algorithm. How do we fix 2FA without making the entire password vault system dependent on network access to a central LP server that is not compromised?

Good job moving the goal post.