I ended up just using Google Authenticator because I don't feel like re-inveting the wheel or manually importing dozens of 2FA services into a new app.
Google Authenticator has no network access and no access to anything else, so I can't imagine this being a privacy concern, right?
If I could go back in time and choose a different Authentication app, I would, but I guess I'm too invested in it now.