That's indeed a tricky one. Even tho I work with PWAs I could see myself being misled by this with a github credential. Good remind to only connect third party services with access tokens.
Nah, it won't because it happens all the time that my password manager doesn't recognize the current url because the auth signin flow had so many weird urls in it that I had to save the url manually and now it's not the right url so I copy out the password manually instead of autofilling it. This was actually the case for my Google account which I created through gmail but then my gmail password wasn't using the right url for all the other google services. Now that I think about it, this was also the case for my Microsoft account that I got a long time ago through hotmail.
I think that this is a fairly legitimate attack vector and it's sad because I really want to be able to hide the url bar in my PWAs through custom styling to make it look more like a real native app.
