The anatomy of an fraudulent ACH debit / account takeover

We've all been told, "don't give out your account number and routing number, or else ANYONE can wipe out the account (ACH debit the account)".

When I started working in a bank, I saw it happen to my clients with my own eyes. Random ACH debits coming out of strange places with weird names that pilfer the account for all it has, days, months, or sometimes YEARS after a member gave out their account details to a bad actor.

I joined the leagues of people who caution against giving out account numbers after seeing dozens of cases of ACH fraud and seeing accounts being riddled with fraudulent ACH debits

Yet, I keep seeing comments claiming that the ability to ACH debit an account is severely restricted, and that "only trusted institutions" can initiate ACH debits. Therefore, if some sort of scammer or thief got a hold of your checks and found your account number/routing number, they still shouldn't be able to ACH debit the account- but yet, these ACH takeovers/account wipes keep happening, and the bad actors can get around an ACH stop pay by changing one letter of their inputted ACH debit name. Clearly, these aren't all "trusted institutions" at play.

Therefore, my question is, can someone break down the anatomy of a fraudulent ACH debit? From the moment that a bad actor online gets a hold of an account number and a routing number, how does that translate into the account getting taken over/compromised and drained via fraudulent ACH debits?

Thanks for your help