The difference there would be that they would be guilty of theft, and you would likely have proof that they committed this crime and know their personal identity, so they would become a fugitive.

By contrast with a claw, it's really you who performed the action and authorized it. The fact that it happened via claw is not particularly different from it happening via phone or via web browser. It's still you doing it. And so it's not really the bank's problem that you bought an expensive diamond necklace and had it shipped to Russia, and now regret doing so.

Imagine the alternative, where anyone who pays for something with a claw can demand their money back by claiming that their claw was tricked. No, sir, you were tricked.

What day is your rent/mortgage auto-paid? What amount? --> ask for permission to pay the same amount 30 minutes before, to a different destination account.

These things are insecure. Simply having access to the information would be sufficient to enable an attacker to construct a social engineering attack against your bank, you or someone you trust.