For the average person it's best they use a cloud password manager as they're not responsible enough to do their own backups of a local password manager.
As far as I can tell Bitwarden doesn't inject any scripts. I know people complain it doesn't have that overlay like LastPass has but Bitwarden not having might be a plus now.
You do know uber and doordash accounts are hacked all the time because of password reuse? There is a huge black market for hacked accounts from doordash and the like.
It doesn't stop it but delays it. The attacker seeing a SMS 2FA screen doesn't mean they give up, it just means the user is now more valuable. This explains it https://passwordbits.com/dont-need-sms-2fa/
Nothing more lazy than doing something like generate a password for the user. The way most browsers work you have to go out of your way to not let it save and fill passwords.
If you create the password for the user they can't reuse it and thus no credential stuffing problems.
If they made it that far to get your password why do they need to log into your account? Having multiple locks on your door don't matter if they got in through a window.
If it's nothing new then why do people keep saying it's better to have SMS 2FA then to not have it. The research says "websites should eliminate SMS based MFA altogether".