That's precisely the OP's point. If a rogue physical visitor is a threat vector you need to protect against, then you have a different policy for that (e.g. how they get on your network or physically enter your IT homelab). But if you have a home NAS then what's the point of MFA?