[valuearb]

I am curious as to how Safari connects the 2FA code to the web page. It would seem whatever they are doing could easily implement a database that maps 2FA SMS messages to domains, not only refusing to auto enter them on phishing sites; but warning the user they may be on one.

[ThePowerOfFuet]

It doesn't; it offers to autofill a received code into a field on the page for a short time, but only actually fills it upon user interaction (so the page can't be sniffing for it via JS the moment it arrives).