Thanks! And no, I have to say I hadn't really considered that angle. In the example that you linked, they didn't steal the domain, they just changed the MX records, so transfer lock wouldn't help.

That being said, my account with my registrar is 2FA-enabled and I do have transfer lock turned on. I hope that someone wouldn't be able to social engineer their way into my Hover account, but who knows.

Maybe I just mention this in a footnote.