Keep in mind that Google Authenticator stores arbitrary third-party credentials, though. Subpoena Google and you could get Google's TOTP token for you, along with the rest of your account, sure. Sync Google Authenticator to Google, and suddenly they don't have to subpoena anyone else--just use their Gmail account to reset all their passwords for every other service, and use their TOTP tokens to sign into them. This basically removes the "Principle of Least Privilege" way that subpoenas work.