This is why threat vector analysis is so important, because in your case, there is no additional vector. If someone has MITM'd you, they can just intercept your token before they pass it to Gitlab.
And to your other point, you're right, if your adversary already has a keylogger running on your device you're pretty much screwed in any case.
And to your other point, you're right, if your adversary already has a keylogger running on your device you're pretty much screwed in any case.