The attack surface is pretty small, though, isn't it? The most sensitive thing there is probably your viewing history and contact info. The additional overhead of supporting MFA (not from a technical standpoint, but from a user education one) would be tremendous, especially considering the customer base.
Some Credit Card information will leak too. Like nearly everyone, Disney covers up everything but the last 4 digits and CC type, and is mostly clean to current standards, but those standards are flawed in that's still a lot of information if you are truly paranoid. (The last 4 digits are the most significant from an information entropy standpoint. The remaining digits follow typical patterns based on card type, which is often shown right next to those 4 digits, and sometimes {!} issuing bank. Apple's trying to change that with stronger reliance on more, harder to guess, easier to wipe, pseudo-random virtual numbers for cards, but not everyone yet has Apple Card and those kind of practices still seem like they are going to be much slower for older issuing banks to adopt.)
>The most sensitive thing there is probably your viewing history and contact info.
For the end user, that might be true. But for the provider, bandwidth isn't free. So if people are streaming content on shared credentials, they still have to pay for that outbound traffic. So each shared subscription starts to cost the providing service money.
Particularly when most users will log in once on their Apple TV or whatever, and never think about it again— almost makes you wonder why they'd bother with passwords at all vs just doing an email-confirmation every time.