I refuse to do business with any business that uses plaid and has no sane alternative to get bank account numbers (deposit two small amounts, three days later I tell you what they are)
First time i saw it, i assumed the website had been hacked. I was actually more horrified when I found out that this was working as intended and some website wanted my bank password!
If in doubt, you should check your bank's terms of service for online banking.
I'm a bit horrified this is still a thing, too. Doing this just confirms you have the correct account and routing number, so you can deposit and withdrawal. It won't allow you to see transactions--will it?
FWIW, a minority of banks have "linked apps" that allow you to revoke access from the bank's website (some are clear they're restricting it to read-only access). But I'm not sure how consistent or widespread this kind of thing is. I doubt if you're offering a service like Plaid you could rely on only supporting these institutions.
This was my exact same impression. Even after some Googling and asking friends where I learned this was a thing, I was still very wary that it was legit.