I strongly recommend that you remove all banking apps from your phones and use a stay-at-home desktop for online banking. Just this week I was reading a security report that said thieves are targeting phones then *immediately* submitting an account recovery. The 2-factor authorization is sent to the phone --which they have. That locks out the owner. Then they start going through the banking apps.
A woman who got locked out of her Apple account minutes after her iPhone was stolen and had $10,000 taken from her bank account says Apple was 'not helpful at all'
https://finance.yahoo.com/news/woman-got-locked-her-apple-163000848.html+
/r roughly covered the way the account recovery method works when stolenIn the typical case when a phone is stolen (and they have the iPhone passcode), they attempt to disable find my iPhone, but that requires the Apple ID Password. Instead, you can reset the Apple ID Password (WITHOUT HAVING THE APPLE ID PASSWORD) and from there do anything you want. The user will not be able to sign into their Apple ID anymore to report the phone as stolen, and the thief will have your Apple Id, Device, and Phone #, which unlocks most of your world even if you have 2FA turned on.
You can try it yourself, go to Settings > Click your iCloud Account > Password & Security > Change Password.
Even with 2FA enabled for your Apple ID, you can reset the password from here. And for everyone saying just don't type in your passcode in public, there are plenty of times that FaceID and TouchID fail a few times and you have no choice but to enter the passcode.
Q: apple lets you disable their ability to recover your lost password by generating recovery keys that you print out and store safely, at which point they lose the ability to recover your account. Wouldn't that stop unauthorized access?
You can still reset the Apple ID password with only the phone's passcode, having a recovery key in place doesn't help at all. Even if you have a recovery key a new one can be generated without having to enter the Apple ID password.
Q: Any solution?
Not really.
At a minimum you should not use iCloud Keychain and use a 3rd party password manager.
Once they have access to your account you should expect for your other Apple devices to be locked down and rendered completely unusable. You will not be able to use those devices at all if FindMy iPhone/iPad/Mac is enabled.
You should have a backup of all your important documents, photos, and videos backed up to a 3rd party (and not just time machine) you should also expect to never have access to your @icloud.com email again.