Or on crypto DEXes where you paste in one address, the compromised exchange website shows you what you pasted with a CSS overlay but in reality, the real input field underneath has already been replaced with a Tornado Cash address, so when you submit the form, it's crypto go bye bye.

This is not even a clipboard problem. If the site is compromised, they can display the correct value in the input form, but submit the malicious value in the code that triggers the wallet transaction.

The user’s wallet software can detect these by warning the user that the contract address is unknown or never before seen by them.

One safety measure is to enable a whitelist of trusted addresses.

maybe we need a clipboard manager that blocks Chrome in such situations.

If a you manually copy text then that's a "gesture". Sites are able to add malicious code when you copy text and this won't change as far as I know. In terms of security, it's horrible but not new.