But perhaps even worse is that with a compromised client (especially Windows), even when using different complex passwords for Nextcloud and the email-account in conjunction with the app Two-Factor Email, there is no protection. The attacker receives both. This is far different with TOTP, as TOTP is used on a second device such as a smartphone. And no. The Google Authenticator is not a risk because it comes from Google.
That’s why I don’t think much of Two-Factor Email. It suggests a level of security that does not exist in at least some attack scenarios.
Conversely, I wonder how else attackers get the password of a Nextcloud user? By trying it out via the web interface? Even if the password is not very complex, it is unlikely. Via the server itself? And the connection is also encrypted. In my opinion, the biggest risk is the client. And it is precisely this risk that is not covered by Two-Factor Email.