The knowledge of login credentials DO NOT enable you to download the encrypted version of your vault, you still need your remote vault password for that.
This is new information, thanks for sharing. However… are you saying the password is sent over the web to Obsidian HQ, where it is then checked against your Vault? (And if all good then it allows the Vault to be downloaded, otherwise it does not) That has it’s own security concerns 
Even ignoring those, I hope you can see that removing the whole “Downloading your encrypted vault” point is but one of many I give in this post. Two Factor Authentication is necessary for proper protection of a user’s data and their account.
And as @chrissanders requested having 2FA for the Encryption (optionally) would be an added bonus, as then us users would retain the only access possible to the data, and Obsidian themselves would have none (and thus more security is achieved).