Lemmy is beta software. One of the updates around the 0.19.0 mark (we're up to 0.19.5 now, with 0.19.6 around the corner) changed the login stuff. I don't remember the details, but instead of locking everyone out of their accounts, 2FA was disabled. The lemmy.world admins didn't choose this, it's just how the update worked.
I don't know what kind of communication or sticky posts were used during the upgrade, but I'm sure some people missed it, including OP.
Ah, that must be it. 2FA is still a very good security feature to have.
But there is nothing only you know that is still useful because a secret must be shared in order to be useful (unless you just have full disk encryption and then when it is unlocked and network connected, it is still vulnerable). In short, admins could change your password since you are not the sole admin of your own server but then you would have to have mass appeal to be "useful", i.e. popular.
In theory, Tim Cook might have a keybearer who could usurp the throne with all the proprietary OEM crypto keys that only the Company knows, but everyone knows who the CEO is and the keybearer could get in big trouble unless he had an army...
Things can be changed on the server side and the network is not the same as the device: these are technology truths some people refuse to ever understand.