When someone steals your device, you change your passwords and Google ends all active sessions automatically. If you use a session cookie from a very different location (e.g. another country, it also asks to re-enter the two-factor token.
That leaves the chance of having your system being compromised through the internet. Sure, that's possible.
Well, yeah, but what does two-factor auth help with any of that? Ending all existing sessions when you change the password doesn't require a second factor. Limiting the validity of a cookie to one country also doesn't seem to me to be much of a security feature, and more something that prevents you from using the service anonymously through Tor - the local thief won't be far from you and the botnet operator probably has more than enough systems in your vicinity to tunnel through, and in any case requiring the password would do the job equally well, wouldn't it?
That leaves the chance of having your system being compromised through the internet. Sure, that's possible.