I can confirm 100% that there are banks checking to see if teamviewer ports are open.

you can't query local services from a remote webpage unless you use a dns rebinding attack which is probably a bit over the top for "whitehat" activity.

I have encountered numerous sites that port scan localhost via websocket/img onerror/etc.

The point of a check like this wouldn't be to bypass a firewall, just to see if the port is open on your public IP.

shouldn’t it work by using websockets to localhost?

Sort of, and only with a lot of effort: https://incolumitas.com/2021/01/10/browser-based-port-scanni...

but only because the local service in this example is not prepared to accept the websocket connection, the teamviewer client would be able to do this to enable some functions on the teamviewer website if a instance is running