How, tho? With one link? I guess the link used Coinbase credentials saved on his phone or something. But does that mean the link was able to spoof itself as the real coinbase app? I'm not sure how these phone security features work.

Anyway, even if you use custodial, I would recommend using whitelisting. That way, funds can only be moved to bitcoin addresses you already trust, and it takes something like 48 hours to whitelist a new address.