They are, which is one major issue with TOTP and most current MFA methods. There is an implicit assumption that you only get the full benefit if your usi g a password manager.

1. A password manager shouldn't be vulnerable to putting your password in a phishing site.

2. If your password is leaked, an attacker can't use it without the TOTP.

Someone who doesn't use a password manager won't get the benefits of #1, so they can be phished even with a TOTP. But they will get the benefits of #2 (a leaked password isn't enough)

Passkeys assume/require the use of a password manager (called a "passkey provider")

Passkeys do largely solve this issue. I love to use them whenever I can.