I kinda get why the GrapheneOS developers don’t want their product discussed on reddit: Imagine you’re searching for a problem with GrapheneOS and the only thing popping up is a Reddit thread. They don’t want their users having to go there as the “only” option to get their problem fixed

You could use third party clients with 2FA enabled in the past (at least I could). I think I used my normal password for the clients, so no real 2FA on that side, but that’s no different from the new app specific passwords. IMAP doesn’t allow 2FA so every mail provider allowing third party clients essentially has a weak point with no 2FA there.