Ever heard of "Malicious Number Porting"? Who needs to intercept SMS when your telco will do it for you?
SMS provides poor security...
At which point, none of your phone calls or SMS come thru, so you know that the device is compromised. And the attacker STILL needs the first-factor to pair with the SMS, and to have a way to trigger the security key SMS to come thru during the brief window between when the port happens and before it is noticed.
If anyone is that dedicated to hacking you, then they're going to get your data no matter what. (And if your data really REALLY is that valuable, then you'll be protecting it with something a hell of a lot more secure than this anyway....)