Ordinarily, a bad actor would have to steal some of your information before breaking into your 2-factor protected iCloud account. They would need your AppleID, your password and a 2-factor authentication code (or a digital token stolen from an authenticated device like a laptop or desktop).
Now everyone's favorite russian purveyor of fine cracking software, Elcomsoft (link), has a tool called Phone Breaker. This new software requires the aforementioned information but then creates a permanent authentication token which means they won't have to re-authenticate until you change your password.
It also has a long list of "wonderful" features to make stealing information easier. Sure law enforcement uses this but does anyone believe they use it for legal purposes with a warrant or that other more nefarious bad actors won't use it?