Would someone buy an account where they don't change the email address and password, even when they know that the seller has those credentials? Who would be so stupid to then only enable or alter 2FA alone to hide and not trigger some markers?
I can guess that the majority of account market customers are users who have heard about the forum as a place to make profits by joining campaigns and contests, but they don't have the patience to create and maintain a high-quality account over a long period of time. This type of user never bothers to verify the security measures activated on the account they are about to purchase because they don't know anything about the forum's security policies and features. Another small percentage are users who work in account farming, and you'll find them taking care of accounts like they raise birds, meaning they periodically sell an account or buy a new one to add to their collection, etc. This type of customer is more cautious and usually knows what they're doing.
I don't trust authenticators that are closed-source and sync via some cloud. You can't know where your 2FA secrets end up. A cloud is just another entity's computer(s) and storage.
Everyone uses a closed-source Google app because they trust Google itself. Don't expect everyone to fully understand the importance of ensuring security and privacy. Ultimately, not many people seem to genuinely care about such details, even among the most respected members of the forum who use OTP login.