Unfortunately, in a highly regulated environment like finance or healthcare this is the norm for opsec reasons. Can't have disgruntled laid-off employees taking revenge actions against the company or customers.
We're talking about Plaid here. The company that willfully violated every norm around credential handling, implemented fraudulent front-end lookalikes to harvest user credentials, and then used those to reap customer financial records in blatant violation of BSA, and again, 90% of the ethial mores of a responsible finance company.
I will not, nor would I recommend anyone extend benefit of a doubt when it comes to this org in particular.
While you are factially correct in the general case, I'd hate for people to leave with the idea that Plaid has ever concerned itself with compliance when there was a buck to be made or an inconvenient norm to be worked around unethically.