Use 1Password or similar instead. They’re keyed against a key they don’t have access to.

How do you avoid losing that key?

They have a recovery sheet you can print. If you lose your key, you can use the recovery information on that piece of paper to regain access. You put the recovery information in a safe place.

That is also exactly why people like myself are so against passkeys, there are no offline recovery.

As stated you can generate backup keys, but you can also associate more than one hardware token to your account. Which is what I do. I keep a separate yibikey in a lockbox off site as a break glass option.

No, not "only". E2EE is now used as a dog whistle.

Who holds/controls the keys on both ends?

End-to-end usually means only the data's owner (aka the customer) holds the keys needed. The term most used across password managers and similar tools is "zero knowledge encryption", where only you know the password to a vault, needed to decrypt it.

There's a "data encryption key", encrypted with a hash derived of your username+master password, and that data encryption key is used locally to decrypt the items of your vault. Even if everything is stored remotely, unless the provider got your raw master password (usually, a hash of that is used as the "password" for authentication), your information is totally safe.

A whole other topic is communications, but we're talking decryption keys here

That's right, and Microsoft Authenticator isn't.