> 1) User goes to BAD website and signs up.

I think this is what Raymond Chen calls the other side of the airtight hatch.

The game is already over. The user is already convinced the BAD website is the good website. The BAD website could just ask the user for the email and password already and the user would directly provide it. The email authenticaton flow doesn’t introduce any new vulnerability and in fact, may reduce it if the user actually signs in via a link in the email.