That's not how it worked last time I used it with Chase Bank. It used something like Oauth with my bank where I logged in on my bank website and asked what accounts I wanted to share with Plaid.

Plaid works a lot like PSD2-based services in the EU then, which also typically consist of a form hosted by the service using Times New Roman and the original padlock.gif from Netscape asking for your IBAN and online banking password and then a TAN/2FA number. Obviously there are no technical controls at that point to what the service can do in your account. I tend to avoid anything PSD2 for much the same reasons as Plaid, it's extremely sketchy. Somehow we can have scoped access using OAuth for random webservices but for a credit check it's "please just give us your online banking login despite everyone telling you since 1995 that you're not supposed to hand that to anyone and always double check the URL in the address bar to be yourbank.com... we assure you nl-gwlogin.xs2a.openbankingservices.co.net is an entirely legitimate place to enter your PIN"