e2e encryption is not trying to solve the problem you describe. If I'm going to open and view private notes on a non-private machine, no amount of encryption will help me.
If anyone from Zerodha tech team is here, I wonder what's the reasoning behind Zerodha's weird 2FA setup? A static password + a static pin is not really 2FA IMO. What's the problem with supporting standard hardware or app based 2FA that requires an OTP?