It's quite possible I'm over-thinking and being unduly paranoid. OTOH, consider the Mat Honan saga, although we tend to overly focus on unusual noticeable incidents.

I have two-step (with google authenticator on my mobile). My major fear is someone taking the mobile.

I suppose I'll create a one-off gmail account as the password reset account, with a strong password but no recovery method