PayPal very strongly tries to make you give them your full bank info (remember that the banking system has absolutely no security as the computer world knows it - this is a feature required for checking to work - so this means anybody with access to your bank id numbers in PayPal's records can do arbitrary transactions to/from your bank account). When I last used it it was possible to avoid on the buyer end and just use a credit card, but I haven't used it for years and I think it was different on the seller end even then.
Routing and account numbers have been on every check written for decades. Banks usually aren't quite that naive to let anyone with the numbers transfer whatever they want. There's name validation they can do, but legally/contractually IIRC it's optional. So the numbers + a lot of social engineering skill can do damage.
But I kinda suspect the ROI is higher for social engineering into an online account portal to Zelle a bunch of stuff around vs waiting for ACH transfers. Breach a login vs find an ACH list and transfer stuff out of the high-value accounts without triggering any flags (imagine you had access to that Paypal list - how are you trying to exfiltrate from millions of accounts without looking suspicious?).
