The instance profile example makes it seem like you need to specify the account for "Service": "ec2.amazonaws.com" just with another syntax, while service principals are always in the same account AFAIK.
The old solutions to phishing, education and weak 2fa, are in the way of the new and improved solutions, FIDO, passkeys. Nobody wants to admit that the old ways were lacking. They were hipped too hard. It's like when new health guidelines appear and contradict the old ones.