I only once got a real security notice from Google and this was several years ago, before Covid even. It simply stated that a (correct) login attempt was made, but from an IP address in China, and Google blocked this by default because it was "suspicious".
I changed all my passwords and have never had a problem since, but I agree with your scenario. There's ample stories of people even having 2FA set up and still getting locked out from their own accounts, although I suspect the grand majority of these cases are through social engineering rather than actual hacking.