Disabling 2FA on every group still requires users to have 2FA thus locking them out

Summary

Enabling 2FA requirement on some subgroups, and then removing this requirement makes every user in the main group still require 2FA.

Steps to reproduce

Take a look at this note: https://gitlab.com/gitlab-org/gitlab-ce/issues/53453#note_114955695

What is the current bug behavior?

Enabling 2FA requirement on some subgroups, and then removing this requirement makes every user in the main group still require 2FA. The configuration screen does not show you the LEAVE options anymore, because no group has 2FA requirement enabled. This locks everyone out of their account entirely. See the picture below.

What is the expected correct behavior?

Not enforcing users to enable 2FA when there are no groups requiring it.

Output of checks

This bug happens on GitLab.com