My personal thoughts might derail the whole conversation:
The best method of all the presented is always the most convenient.
- For the Web Browser it the extension with click-to-fill is the best. It’s the fastest and it tells you, if you are on the correct website and not a fake.
- For every other application. The best method would be auto-type, but if it does not work (Wayland) copy & paste is the best method.
- Typing is only needed if you do not have your password manager on your target device, like when you login to Netflix on a Smart TV.
Here is my reasoning:
Security is not just about technical stuff. Much of it depends on the human factor. Having 30 character long, unique, randomly generated passwords for every service is good practice, but those passwords are a pain to type.
Not staying logged in to a website reduces the risk of session hijacking, but logging in is extra work.
Having good security practices and sticking to them is extremely valuable. To often people undermine their own security because the workflows are to much of a hassle. Maximizing every day convenience helps a lot here.
All the weaknesses discussed in your research are weaknesses inherent to passwords. You can reduce those risks by using TOTP 2FA or Passkeys for most accounts. Your most critical accounts (Password Manager and Everything-Accounts like Google Account, Apple Account, Microsoft Account) should be protected with FIDO2/Webauthn 2FA (a hardware key).
As soon as an attacker get access to your computer that is equivalent to your own - aka you’ve got malware installed - you have basically lost the game. The only thing that can still be protected in such a case are your hardware keys. But as soon as you login to a service protected by a hardware key your session can be hijacked. - Sand-boxing helps by reducing the reach of potential malware. How effective that is, depends on the methods your operating system uses.
So there are technical methods to improve security and they should be utilized when available. But I’m convinced day-by-day convenience is an important part of security and you should optimize for that too. Only if you can work as fast or even faster with sticking to good security practices, it becomes sustainable. Choosing inconvenience because it might be more secure in a particular scenario or would mitigate a certain risk is a fools errand in my opinion.