But what comes after? Can users decline or at least downgrade the level of access requested by whoever wants to peek into their bank account? Do banks clearly indicate (and periodically remind the user about!) all parties currently having access to their account?

It's usually still persistent full access, and given that, the question of whether the user's password also leaks in the process is almost besides the point.