Not having to trust a website with my credit card details is one of the main reasons I tend to use PayPal at all, and it's something they're actively advertising with [1]. I understand it's hard to find a solution that offers both good UX and security. Maybe they could have at least added a link to open the login in a new window on their domain for users who want to easily verify it's legit. Still, I think it's pretty irresponsible to teach users that entering login credentials on (essentially) a third-party website is okay.
[1]: https://www.paypal.com/us/webapps/mpp/paypal-safety-and-secu... @ Who you are is how you pay