My issue was that the "whole solution" to the problem proposed by the parent relies on idealised password manager usage which I don't think is representative of real-world use.

The threat models it addresses are (1) "evil maid without time to download a keylogger", (2) "cloud leak of your password database alongside sites that aren't using any 2fa" and (3) "cloud leak of your password database alongside SMS-based 2fa and a desire to go through the trouble to SIM-swap you".

All of these threat models are handled with TOTP-2FA. (1) is rare. (2) and (3) require your password manager to be compromised but not your application's password database.

In practice, virtually all threats to online accounts are phishing or password stuffing from database breaches. This system does not change your posture against these threats.

People will only follow so much security advice so you need the specific small set of things that you recommend to everybody to address the most common threats and you need the set of things you recommend to more targeted individuals to actually address a wide range of threats. Introducing additional systems that address a subset of meaningful threat models just introduces confusion.

"Use a password manager with autofill to generate unique passwords" defeats credential stuffing and most forms of phishing. This system is worse against phishing since you personally type in the password. "Use a password manager with autofill and a yubikey" fully defeats credential stuffing and phishing. It also defeats the situations addressed by horcruxes.

> My issue was that the "whole solution" to the problem proposed by the parent relies on idealised password manager usage which I don't think is representative of real-world use.

I do agree with this.