2FA is a great thing to have. It is based on the idea that a password alone is not enough to authenticate.
However, if the password of an account is compromised by an unauthorized person, and this person gets access to a signed-in device, they can
- change the password
- change the email address and
- disable 2FA
without having to go through the 2FA - thus effectively preventing all means of access to the owner.
What is worse (and this is the personal experience of a colleague here), the Dropbox support will not be helpful in regaining access to the account for the legitimate owner. Their comment was simply "Unfortunately, there may be no action that we can take since the account's email was changed using the legitimate password to the Dropbox account."
I believe that in addition to asking the current password, a 2FA code should be required when editing the password, email and for disabling the 2FA, as these are very security-sensitive settings.