If you are genuinely interested in a technical answer, here it is: Auto-fill is ALWAYS more secure than copy-paste.
Why is that? Auto-fill checks the URL of a page and provides credentials only if it matches the entry in your password database (and even then only after an explicit action by the user, not automatically on page load—by default, KeePassXC also asks the user for permission, so the browser has access to nothing without explicit approval). The only way an attacker can get their hands on the credentials is if that site is compromised (either via the backend or via cross-site scripting). Generally, if the site is compromised, an attacker can do anything, regardless of how you entered your credentials. They can steal all your inputs (regardless of source) and they can also steal your entire session. The only thing that click-jacking does is being more sneaky about it so that you don’t notice what’s going on. But in general, a cross-site-scripting attack could also replace the full page and you would never know.
There is nothing that protects you against this attack. In fact, you are MORE vulnerable to click jacking with copy-paste, because you have to actively interact with the page. There are no automatic checks for anything when you use copy-paste. You also lose any sort of phishing protection, because without auto-fill, there are no URL checks. So you might as well be entering your credentials on a typo squatting website or after a malicious redirect.
Auto-fill via the browser extension is the best way to keep your credentials safe. Copy-paste is the worst possible alternative. With copy-paste you also make your credentials available to all applications on your system via the global clipboard, which is another risk factor (and you might also paste them somewhere else accidentally). The only safer alternative to auto-fill are passkeys.