 Google 2FA app token can be updated without checking the old 2FA

Ermm, as of February 2021, I was able to update my 2FA app token with the password alone, it did not ask for the old 2FA.

So what's the fucking point of 2FA then? An attacker with my password would be able to login by doing that!

Is it that Google trusts that particular action because I used the same phone/known IP or something like that?