Anyway, just thought I'd mention it. If I were designing something doing financial transactions (@paypal, @stripe, etc.), I would have been very nervous about this, but apparently that was not the case?
This is exactly why the financial industry is moving to private-key-based authentication with OAuth extensions like FAPI. It hasn't hit the consumer-facing financial APIs like PayPal/Stripe yet, but it's becoming more normal in the backend of these systems.