i would also add. don't answer password reset questions genuinely. always use unique decoy info (for each site) when answering security questions. keep them in the notes section of your password manager
Discussion
Do you recommend to store 2FA secrets in a vault separate from the passwords? (Multiple points of failure?)
Yes, the minor inconvenience of using a separate app to store codes is worth the extra seconds in contrast to the pain should your pw manager get pwned.
yes. ex: bitwarden + keepass, but it depends on your threat model. most people will be significantly better off just keeping them in the same pwm
Get a Yubikey or similar and use WebAuth 2FA everywhere it's possible, then store your TOTP in the Yubikey for other services not using WebAuth. Also you should backup the TOTP setup or use backup codes when available stored separately from your main password manager, ideally on paper but I find more convenient to keep an old (degoogled) phone and have all TOTP in andOTP which allow you to export PGP encrypted backup of all your codes and can be locked with a password (on top of your unlock scheme).
I wrote a detailed article some time ago and it's still mostly up to date: https://eluc.ch/password-managers-and-authentication-tools/