Is Chime's (online US bank) 2FA system flawed?

I signed up for a Chime (https://chime.com) account last weekend. The first thing I did was try to find out how to turn on 2FA for my account. Not finding the setting I reached out to the company on Twitter. They replied and said that 2FA is turned on for all accounts by default. (It's SMS based and cannot be configured to be One-Time Password based which is less than ideal but that's not my point here.) I was confused when they told me that it was on for everyone because I was not asked for a 2F code when I logged into my account on my Mac. I reached out again and here's first response I got back:

https://pastebin.com/JbGGXYzN

This was immediately concerning to me and rather confusing. What is the criteria for when it asks and when it doesn't? Will I be lucky enough that when a bad actor obtains my credentials from a security breach that they will be asked to supply a 2F code to access my account? I tried logging in on a few more devices. I cleared cookies and caches on them and even switched to a cellular network on my phone. I was NOT asked for a 2F code on two devices (one being the cell network-connected phone) and WAS asked for a 2F code on two other devices. I replied to the support response and got this as a reply:

https://pastebin.com/BXEGeNbK

Am I crazy or does this completely defeat the purpose of 2FA? In my above scenario where this bad actor already has my credentials it sounds like they have free reign to my account. I practice good password habits (different passwords on every account and changing passwords immediately upon hearing about a breach) but this system still leaves me vulnerable if I don't hear about a breach for a few days.

Please put my mind at ease and tell me that their 2FA system is not as bad as I think it is. If they gave me control to configure it so the system asks _every_ time I log in I wouldn't have as much of a problem. But I don't like this mysterious algorithm that decides when it's going to ask for a 2F code.