I pay for several services via SEPA direct debit and the only things I had to provide to sign up was an IBAN and a pinky-promise I was the account holder. As far as I know they have to way to correlate the identity information on the provider account to the bank account holder’s, so it should work in case of fraud too. This lines up with how UK direct debits work as well, where a “sort code” (bank identifier) and account number are enough.

I presume the only security there is arises from the fact that those transactions can be reversed by the account holder within a generous grace period, and that this method of payment is only ever used to pay for long-standing services where there’s a strong paper trail to the beneficiary of said service (so not much point in doing the fraud to begin with).

That sounds right.

IME, though, the whole authorization system I've had to use with SEPA and IBANs feels more secure, and I've had no misgivings about using it to transfer or receive money.

By comparison, using ACH to transfer funds between accounts is usually bidirectional in bank apps, so if you give me your account info so I can send you money, I can also use that same info to withdraw money.

That means I'd never send you my routing and account number even if the original purpose is for you to send me money.