TOTP gets a little tricky when it comes to phishing, but only because most phishing attacks that target casual users (rather than spear phishing attacks) aren't capable of logging in immediately. Naturally, that would change if enough people started using TOTP, but for now, TOTP is enough to avoid becoming low-hanging fruit.
Of course, if you're a high-value target or work for a company that's likely to be targeted by spear-phishing campaigns, you should be using FIDO2. (Don't target U2F, as there are newer, backward-compatible specifications.)
Depending on the method, it doesn't have to be targeted to the user, just to the platform. For a platform like Robin Hood, most accounts contain enough money that even one account could pay off for the effort.
Typically this takes enough work that it has to be at least somewhat targeted but even some rando with just a few thousand dollars in their account would probably be a large enough target because it doesn't take super long
