I use Aegis, which automatically backs up with each change to the database to a folder that gets synced to a couple of different computers via syncthing.
For backup codes, I have a separate keypass database that’s backed up to a couple of places. I thought about using Bitwarden for this backup, but having my 2FA backups in the same place as my passwords kinda defeated the point, IMO.
Anyway, this system has worked well for me.
I feel like defederating is a good short term solution, but the events described with XMPP could have happened in any number of ways.
The real focus should be on how to make ActivityPub robust enough to prevent the events from the article from happening again.