that is a phenomenal question that deserves to be answered by the highly paid engineers at Google
they're smart, I'm sure they can find a way, even if it contains such horrible, detestable ideas like "more support staff" and "more training for support staff"
Companies with highly trained support staff regularly fall for these attacks.
The answer has been figured out by the highly trained engineers. It's "don't provide account recovery options that bypass 2fa". Yeah that sucks for a segment if people, but it sucks less than regularly getting your account stolen due to a social engineering attack. There really, truly, doesn't exist a panacea. You don't have and can't create an oracle that knows when an account recovery attempt is legitimate or not.
they're smart, I'm sure they can find a way, even if it contains such horrible, detestable ideas like "more support staff" and "more training for support staff"