By default they don't ask questions. You can craft that behaviour with the system message or account settings. Though they will tend to ask 20 questions at once so you have to request it to limit to one question at a time to get a more natural experience.

Ledger is now introducing a seed recovery feature that splits the key using Shamir's secret sharing and sending parts to third parties. They are currently answering questions on Reddit https://www.reddit.com/r/ledgerwallet/comments/13j5cna/intro...

If this sounds desirable to you, by all means offer yourself as a volunteer for human sacrifice in the altar of Mother Nature.

I'd rather have vaccines.

"and every so often, I would get authorization code texts for the Gmail account that was tied to my Instagram handle"

As far as I know these authorization texts are only sent when your Gmail username and password have been entered correctly. This would indicate that the attacker knew your long random password. Keylogger? From there they only need your 2fa to access your account.

If I'm not mistaken, the attacker set call/msg forwarding on his phone via his telco and then they chose the "forgot my password" option where a SMS text from Google (now going to attacker's phone) can be used to reset the password.

I have a similar method. When I setup 2FA on an account, I print out the QR code and scan this with the phone to verify it works. I then store the paper QR code in a safe place.

Or you could right-mouse save the image of the QR code as a file and then put that file on a CD-ROM or flash memory.