All I can think of is bots using harvested credentials.
But that wouldn't be a real user agent.
In general, for human users, disallowing paste/password managers is an anti-pattern, and #WCAG 2.2 gives you a very credible #a11y post to nail this to.
@jensimmons
Gregory's Server