I don't understand the answers to your "what is a legitimate website with a malicious owner" question, but I kinda see this as the same concern as downloading a phone app that requests an OAuth login via a native webview. You can't always see the true URL of that login page. But it comes back to what I think is your main point -- you've already downloaded something malicious from the get-go. But I guess there's some damage control if you can spot a fake login page and remove the install.