2FA only protects login. If you're already logged in, someone with access to the computer can just copy the session token. Or instruct the email client that is already running to dump all your emails to a local file.