The Asynchronous Clipboard API allows reading the clipboard (including copied passwords), at any time by default, but the privacy considerations for it suggest that UAs might restrict it to after a user gesture. If a page is trying to steal data, it has to guess when that data's likely to be on the clipboard. It can poll, but polling is potentially suspicious, and a UA might alert the user or take other countermeasures.

clipboardchange changes the behavior to allowing the page to trivially track the entire history of the clipboard. This should be called out in the privacy considerations, and the WG should describe any potential mitigations there, since the first current mitigation in that section doesn't apply to this new event.