If a 3rd party product advertises compatibility with a Google service and you use it to login via a first party Google login page, doesn’t the responsibility fall somewhere between the offending product and Google itself? In practice it’s structured pretty much like a phishing attempt.

Notably some model providers explicitly allow that very flow, while others will ban you without notice.