In your example, the user is logging in to BAD.com, thinking it is GOOD.com.

In the OP's example, the user is logging in to BAD.com intentionally, but his GOOD.com account is still hacked into.

This is a lot harder for the user to catch on to.

I think GP has the following in mind:

  - user has an account on GOOD.COM
  - user has saved her password in her browser
  - user navigates to BAD.COM

In this case autofilled passwords are safe and convenient since they alarm the user that she isn't at GOOD.COM.

A clickable link sent in email mostly works too, it ensures that the user arrives at GOOD.COM. (If BAD sends an email too, then there is a race condition, but it is very visible to the user.)

Pin code sent in email is not very good when the user tries to log in to BAD.COM.

Password managers can catch this case by not autofilling, hinting the user to take a step back and pay attention.

You are.

There is no password in these new flows. They just ask for email or phone and send you a code.

Bad website only needs to ask for an email. It logs into Good with a bot using that email. Good sends you the code. You put the code in bad. Bad finishes the login with that code.

At no point in time is a password involved in these new flows. It's all email/txt + code.

Many sites work like this now. Resy comes to mind.

People hopefully won’t reuse the username/password they use on GOOD to log into BAD, so the login that BAD does in step 3 will fail.