How is it worse than using a password? I think I'm missing something, please explain.

1) User goes to BAD website.

2) BAD website says “Please enter your email and password”.

3) BAD’s bots start a “Log in with email and password” on the GOOD website using the user’s email and password.

4) BAD now has full access to the user’s GOOD account.

In your example, the user is logging in to BAD.com, thinking it is GOOD.com.

In the OP's example, the user is logging in to BAD.com intentionally, but his GOOD.com account is still hacked into.

This is a lot harder for the user to catch on to.

I think GP has the following in mind:

  - user has an account on GOOD.COM
  - user has saved her password in her browser
  - user navigates to BAD.COM

A clickable link sent in email mostly works too, it ensures that the user arrives at GOOD.COM. (If BAD sends an email too, then there is a race condition, but it is very visible to the user.)

Pin code sent in email is not very good when the user tries to log in to BAD.COM.

Password managers can catch this case by not autofilling, hinting the user to take a step back and pay attention.

You are.

There is no password in these new flows. They just ask for email or phone and send you a code.

Bad website only needs to ask for an email. It logs into Good with a bot using that email. Good sends you the code. You put the code in bad. Bad finishes the login with that code.

At no point in time is a password involved in these new flows. It's all email/txt + code.

Many sites work like this now. Resy comes to mind.

People hopefully won’t reuse the username/password they use on GOOD to log into BAD, so the login that BAD does in step 3 will fail.