> A 32-character password + TOTP can still be entered on a phishing website, e.g. if you happen to follow a fabricated link.

…How? The password manager only permits exact links. If the URL does not have the UTF-8-identical characters to the correct url - at which time, IT IS the correct URL - it will simply not populate the username and password fields.