1. If you go to your WordPress profile and go to setup Defender's 2FA, there is no option to enter the 2FA setup code manually.
Most 2FA implementation allow you to enter the setup code manually in case you don't have a camera at the ready to scan the QR code, so this would be a nice improvement for Defender.
2. It was mentioned somewhere that Defender is going to get a feature to enable the HSTS security header. But there are a couple more headers that could be useful.
I'd like to see the headers on this page: https://www.123.org/index.php/OWASP_Secure_Headers_Project#tab=Headers added to Defender as well.