They prevent you from being one of these, and copy pasting the password from password manager into the wrong input field. Something that still happens often with many websites not properly auto-filling from password managers.
> They just rely on you being busy, or out, or tired, and just not checking closely enough
Password managers rarely are able to autofill 100% of the time. Autofill breaking is not a very strong indicator of a phishing attempt, people are used to manually filling the password in sometimes for totally legit sites.
I'm used to 1Password not being able to autofill, yes. But I'm not used to no account showing up at all when I open the UI panel. If that happens, I immediately know I'm on the wrong domain.
You know you're on a new domain. However, sites change their auth flow much more often than any patitcular person getting phished. So, if you're using a larger variety of site, you'll likely encounter the benign situation at least a dozen times before you ever encounter your first actual phishing attempt, at which point you'll have gotten used to it.
For example, Twitter relatively recently changed from authenticating on twitter.com to redirecting you to x.com to authenticate (interestingly, Firefox somehow still knows to auto fill my password, but not my username on the first page).
It's far too common for websites to redirect to some separate domain for sign in which isn't the one originally used to sign up, getting users used to "oh gotta copy the password again" as a totally normal thing that happens
I keep hearing people say this, but I haven’t found it so: in over a decade, I think I’ve only seen it twice. Looking through my password safe which I’ve been using for about twelve years with over 200 entries, I have nine cases with multiple origin URLs, and most of them I’m confident I added manually because I didn’t like the URL it recorded automatically (e.g. it’s on a different domain from the main site, and the specific path is for signup only, but I want to be able to “visit site” from the password safe and get to the login page or at least the homepage). I think that only two of them have ever actually used more than one origin: a banking one that switched from .com.au to .com at some point as part of a broader global restructuring (and they made a fair bit of noise about it, and you had to partly make a new account anyway), and a Microsoft account. There’s a third that I can’t check (COVID-related, gone) that might have been, but I don’t think so.
Now on a few occasions I’ve had to copy passwords in order to access things in a different browser, and I think I did encounter one site some years ago where autofill didn’t work, but I really do find autofill almost completely reliable.
While you kind of addressed it below, I'm not sure you know how bad state government websites can be here in the US.
In Texas I've had more than one site where create the login on one site, but use that same login on multiple different domains that are NOT directly connected to a singular authentication site (id.me in the example).
For password safe users, auth being handled entirely on a different origin is completely fine, so long as the credentials are bound to (only used on, including initial registration) that origin. The hazard is only when login occurs via multiple domains—which in this case would mean if you had <input> elements on both tax.gov and id.me taking the same username and password, which I don’t believe you do. Your password safe won’t care if you started at https://tax.gov, the origin you created the credentials on was https://id.me, and so that’s the origin it will autofill for.
> They just rely on you being busy, or out, or tired, and just not checking closely enough