I was specifically thinking banking and it’s exactly this type of spear phishing attack that happens (although with other types of tokens the Fido). In these scenarios, you only need to move the money once.

You definitely have a point with regard to non-transaction usage that requires long term access