This could be implemented as a checkbox during 2FA setup as a "Trust this device with QR code?" setting or as an Advanced Security 2FA setup. It would require the authentication device to have an internet connection at the time of setting up.

While generating QR code for setting up 2FA, instead of sending secret to browser/device that could be copied by malware or other screen-based exploits, secure enrollment creates a single-use QR code with a nonce.
The nonce QR code would then generate a single-use cryptographically signed digit value that would display in the Authenticator on one device only.
If another device tries to scan the same code after the digit value has been fetched, it will say expired. If another device fetches the nonce QR digit value before the user can scan it, they will simply get an expired as well, and be able to generate a new QR on the untrusted device.
Inputting the correct 4 to 6 digit code from the app onto the untrusted device in a box under where the QR was generated would allow the real secret to be securely downloaded via encryption and https on the trusted phone/device that scanned the single-use nonce QR code, without the secret ever showing on the untrusted device or loading into the web browser. Thus, the trusted device with the authenticator is given the true key while the untrusted device doesn't receive one bit of secure information.

Also leave generating the 20 backup codes as optional too to reduce attack surface of screen-based exploits and potential malware. They could then be generated within the authenticator app at a later time if desired.