Via HackerOne. We currently MFA on making an email address primary, but don't on most other address operations.
It isn't technically necessary to MFA users on these other operations (at least today, these operations do not directly support any meaningful attacks, since non-primary addresses do very little) but they're generally reasonable to MFA. I believe I declined to MFA them originally because I was worried about fatiguing users with MFA prompts, but we haven't seen feedback to this effect (i.e., users don't seem to find MFA prompts burdensome in practice) and these operations are rare.
This primarily just aligns MFA behavior with user and researcher expectations, and hardens these workflows against possible future bugs or errors which might make them more dangerous than they are today.