to be honest I am on the side that thinks asking 2FA to disable 2FA is not necessary, now I read my comment again, it sounds like I was on other side.

on both cases, password change and 2FA disable, it is asking password (but not 2FA)

So I think when you are logged in it is 1st factor, 2nd one is password. No need for 3rd one.