Plaid requires your bank username and password, so they have full read-write access to your account. They can do anything you can do when logged in to the bank's website, and so can anyone else who gains access to Plaid's database.
Plaid's login flow also requires a 2FA code if your bank requires it. The same 2FA code that banks say to never provide to anyone else.
They're literally proxying the bank's login page just like a phishing site would, and I assume they're also selecting the "trust this computer" option so their access is more persistent. My bank does require re-2FA for larger transfers, but there's still a lot of damage I can do on a "trusted" computer without triggering another 2FA prompt.
Doing re-2FA for every outbound transfer, and mentioning the consequences of entering the 2FA code out of band (e.g. "enter code 123456 to confirm transfer of x$ to y" or "press OK to confirm transfer..." in a mobile app) should be the bare minimum these days.
At least there is a process for unauthorized ACH debits. For this blatant breach of privacy, there is nothing.