If you can administer it from a webUI that doesn't have authentication back to another device you hold with the keys for managing that Apple account, then so can an attacker.
For another phone, yes - that would work... but it needs to be one that holds the private keys for the apple account.
Those keys are held by a part of the apple hardware that prevents them from accidentally leaking outside. Because of how "find my device" works, leaking those keys would allow a 3rd party to track you (or access your stored secrets associated with your account) - and so Apple has been very careful with the hardware and software securing those keys.
From Apple's perspective, the ability to administer the family plan from a web UI is inherently risky and possibly privacy violating - neither are things they want to let go of. Part of the brand value is that it isn't risky to use their devices and that they make the privacy of the people them something that those people trust.
And so, consider, that you're asking Apple to allow someone to log into a website and use a password (possibly compromised) to restrict the functionality that a given device has without being able to verify back (send apple verify codes to devices held by that same account) that the person making the changes is one who should be able to do it.
Apple allow me to buy stuff with my apple account on other devices, apple music, iTunes, etc. So clearly if I'm giving them money they are just fine with non apple devices. All I want to do here is change thr screen time allowance on my kids phone. Its totally possible, and security is clearly not the reason if they allow 3rd party devices for financial transactions.
For another phone, yes - that would work... but it needs to be one that holds the private keys for the apple account.
Those keys are held by a part of the apple hardware that prevents them from accidentally leaking outside. Because of how "find my device" works, leaking those keys would allow a 3rd party to track you (or access your stored secrets associated with your account) - and so Apple has been very careful with the hardware and software securing those keys.
From Apple's perspective, the ability to administer the family plan from a web UI is inherently risky and possibly privacy violating - neither are things they want to let go of. Part of the brand value is that it isn't risky to use their devices and that they make the privacy of the people them something that those people trust.
And so, consider, that you're asking Apple to allow someone to log into a website and use a password (possibly compromised) to restrict the functionality that a given device has without being able to verify back (send apple verify codes to devices held by that same account) that the person making the changes is one who should be able to do it.