That's without considering a lot of banks have non-textual inputs for their passwords. Man they love their scrambled virtual keyboard!

I think the worst I ever had was HSBC that asked me for fragments of my password, like characters 4, 6, 7, 11, and 12. Absolute bonkers of a security theatre.

Unfortunately it's not uncommon to find legitimate websites that break autofill in some ways. And the more such websites a user encounters, the more likely he will just mindlessly paste his password into a phishing site as he has learned to do for real ones.

Passkeys solve this problem but has its own usability issues.

I use keepass (FOSS under GPL, fully offline).

It does not detect domains.

"Dang, this site isn't working right with the password manager's detection. Guess I just gotta paste the password in again..."

Meanwhile U2F/Passkeys can't possibly be abused like this.