I think BofA does this, which I like. When I linked my account to Robinhood through Plaid, it asked for 2FA (text or phone call, BofA doesn't support TOTP codes) and verified in, then asked me to select which accounts to grant access to. Since it doesn't need the 2FA subsequently, it must be doing some kind of OAuth style authentication when it passes that token to the bank and then gets a long-term access token for that specific account.
From an HTTPS perspective this is still pretty concerning though. AFAIK browsers would block the Plaid widget if someone tried to load it insecurely and the page was HTTPS (what users have been trained to look for). But without going into devtools there is no easy way to verify that the widget is actually a real Plaid widget, thus POSTing your password directly to their server and not the merchant's, and no way at all to verify that they have such a partnership with your bank sanctioning them to collect your password.
From an HTTPS perspective this is still pretty concerning though. AFAIK browsers would block the Plaid widget if someone tried to load it insecurely and the page was HTTPS (what users have been trained to look for). But without going into devtools there is no easy way to verify that the widget is actually a real Plaid widget, thus POSTing your password directly to their server and not the merchant's, and no way at all to verify that they have such a partnership with your bank sanctioning them to collect your password.