What if my system gets compromised and someone has access to the 12 word seed phrase BUT not the pass phrase (extension words), is it still safe? As for 2FA, I feel like I should add that for extra security, is it necessary? My concern for 2FA is if it goes missing, then what?
In any scenario that your system is compromised and the attacker gains access to your 12 word seed phrase, it is safe to assume they can also gain access to your extension words, because you had a serious security flaw in your setup.
2FA in this case may not help you either since the same security flaws may be exploited to gain access to your 2FA also or your seed backup.
But in case that only your seed phrase is compromised and not the extension words, the attacker has to brute force those words and it could be possible depending on the entropy those extra words provided. For example simple known words (like password123) will not provide any security but a random and long passphrase could (like J7}mn3V-xy1x)