Apps able to autofill SMS verification codes even though I have setting disabled

asuka_soryu

I have Venmo installed from the Play Store and when I tried logging in, it was able to, without permission from me, autofill the 2FA SMS verification code. I had:

Settings > Apps > Sandboxed Google Play > Google Settings > Autofill > SMS verification codes > everything disabled
Settings > Passwords & accounts > Passwords, passkeys, and data services > set to 'None'

What gives? What on earth gave Venmo permission to read my SMSs? Is Google's SMS retrieval API somehow active? I'd think that having those two toggles under the Google Settings would have disabled that.

asuka_soryu

This is somewhat obvious, but by removing Play Services' SMS permission and trying again, another app that I know to be able to get codes in the same way was no longer able to - the question is still why it provided Venmo a verification code when I had the settings to do so disabled.