I use paypal where available over direct credit card entry not because of the UX, which isn't perfect IMO and in the past has been worse, or because I particularly like paypal otherwise, but because it limits the amount of places I'm handing my credit card details to. I work under the hope that this reduces the attack surface area for those details being attained by the many ne'er-do-wells out there.

Same. That comes from experience. 2 out of 2 of the places I've worked professionally that took CC payments directly initially had CC numbers appearing in plaintext application logs.

It's harder to make that kind of mistake in a Paypal integration so if I'm buying from someone outside of my comfort zone I'll look to use Paypal.

Stripe also makes that kind of thing more difficult to do accidentally. I've occasionally had a look to see if a company used stripe.js before putting in my details.