Yeah, that is not mitigated by U2F on Google account, but mitigated if Netflix had requested authentication on setting change. As Schneier said, such thing will be inevitable once numerous services intercross each other. For me it's yet another reason not to use such online services. Laugh at me if you want, but I still go to local video rental shop when I want to watch an old movie. I have a Kindle but never use it, instead go to bookstore. I don't use Google calendar nor Outlook scheduler, but use paper schedule planner and a pen. These are not necessarily for security, but there're advantages for them, which are seemingly not widely recognized. I value chance encountering with a book much more than useless Amazon recommendation.
I mitigate credit card risk by using virtual credit cards ONLY for anything online. Each virtual card # is only valid for one merchant number so its completely useless if a database gets hacked and the number falls in the wrong hands. Nobody online EVER gets my actual real card numbers. This just works, and very well at that.
If I laughed at you for doing that I would have to laugh at myself too, I am not interested in using any of those services since I learned how they monetize our personal information. We don't have video rental stores anymore, so I buy movies from flea markets, thrift stores etc. Last week I had a field day in a local liquidation stock outlet they had thousands of dvd movies from the old Blockbuster Video stock liquidation. Twenty cents each!!! I bought more than I could count. They even had entire seasons of every old TV show I could think of. I spent about $40 and went home with a box full.