It certainly recognizes the domain, but thats more of a convenience feature than a security feature. Nothing is stopping you from putting your example.com code into legit-example.com manually. Sure the extension won't do it automatically, but if the user is convinced to put the password into the fake website, user could also put in the TOTP code