From my POV this is on the site developers to write their sites in such a way that they don't share any sensitive stuff. My contract, such as it is, is with Intuit (or whoever owns TT now). (that said i also still use the downloaded product rather than the web version and hope it continues to be available)
Data scraping is something society generally accepts at some level, though i hope that level becomes "less". But what's being described in the suit mostly sounds like just the state of the market and thus this seems like an abusive lawsuit.
When it comes to financial sites specifically, anyone who pays attention (even at just the level of running something like Ghostery and noticing the number of trackers on a site) has know about this risk for many years. (i for one was Karen enough (before that term existed, even) to write an email to customer service to either TurboTax or one of my banks to say: dudes, why are there so many ad trackers on my account pages ? is this safe?)
And if you ever look at the number and variety of trackers on airline booking sites, including their address and payment pages (like American , United, etc ) your hair might stand on end.