+1. I understand certain activities already prompt SMS or email-based verification [1], but I'd feel safer if logging in always required U2F or TOTP verification. My workaround is to reduce the threat of compromise by removing saved payment methods whenever I don't need them. It's a hassle, and makes me less likely to book reservations.
[1] from https://www.airbnb.com/help/article/501/how-can-i-keep-my-account-secure
> If you log in from a new place or make a change to sensitive account information, we may ask for some information to help confirm it’s really you. Specifically, we may ask you to enter a security code sent to your phone or email address, or verify some of your account details.