Plaid's login flow also requires a 2FA code if your bank requires it. The same 2FA code that banks say to never provide to anyone else.

They're literally proxying the bank's login page just like a phishing site would, and I assume they're also selecting the "trust this computer" option so their access is more persistent. My bank does require re-2FA for larger transfers, but there's still a lot of damage I can do on a "trusted" computer without triggering another 2FA prompt.