I wouldn't call it "shenanigans" unless there were ever a case of Mint making any change to a user's account. So far none. They're clearly not trying to trick people into giving up credentials for nefarious purposes.
I sort of agree, but to say that they can't do anything besides query if certainly false if they have the credentials that I, myself, use to log in and perform transactions.
It's kinda like when Dropbox said they couldn't access user's files even though they technically could.
The fact that I didn't need to provide answers to security questions for Mint to use means (I think) that Mint has worked out some agreement with the banks which allow "query-only" interactions.
Also, many banks have a way to alert users to logins from new machines and many have things like 2-factor authentication and security questions which would make it hard for a criminal to use my credentials if they were somehow swiped from Mint.