The sandboxing between apps on non-jailbroken iOS (and to a lesser extent un-rooted Android) is such that having the secrets stored in an app's database renders them secure against basically any attack that doesn't involve physical access to the device.
It's best not to rely on just one mechanism. Sandboxing mechanisms are also prone to exploits and bugs. For something as important as Two-Factor, Google engineers should be practicing defense in depth.
It's best not to rely on just one mechanism. Sandboxing mechanisms are also prone to exploits and bugs. For something as important as Two-Factor, Google engineers should be practicing defense in depth.