MFA to log into the PrivacyIdea

Can I enable MFA to log into the PrivacyIdea itself? It turns out strange: we seem to be trying to reduce the risks of password theft, but in fact the PI will stick out, you can go there with a stolen password and make yourself another token

You are right.
This is why you can enable 2FA at the privacyIDEA WebUI - like always and ever!
https://privacyidea.readthedocs.io/en/latest/policies/webui.html#login-mode