Well, it doesn't solve the issue of someone sending you a fake login e-mail that you then mistakenly click on, that's true, but the whole point of magic links is that there isn't an auth flow; there's no password for them to steal from you.
In other words:
1. A malicious individual sends them a fake login link
2. The link can't ask them for a username and password because the site doesn't have passwords, just magic links
3. The site could ask them for your OTP code if they have one, but the bad actor doesn't have their magic link and the OTP code expires in a few seconds anyway
4. Without the bad actor actually getting access to a legitimate magic link nothing happens
It does solve the issue of:
1. You visit the site on your device at the same time as they visit on their device
2. They get two e-mails and maybe click on the one that approves your session instead
3. Your session on your device logs in; theirs doesn't so they figure it's a bug and go click the other one. Now you're both logged in.
If you require the session to be logged in by the link directly, it ensures that only the device you're viewing the e-mail on gets signed in; in the above scenario, your malicious session is never logged in, but their legitimate one is.
In other words:
1. A malicious individual sends them a fake login link
2. The link can't ask them for a username and password because the site doesn't have passwords, just magic links
3. The site could ask them for your OTP code if they have one, but the bad actor doesn't have their magic link and the OTP code expires in a few seconds anyway
4. Without the bad actor actually getting access to a legitimate magic link nothing happens
It does solve the issue of:
1. You visit the site on your device at the same time as they visit on their device
2. They get two e-mails and maybe click on the one that approves your session instead
3. Your session on your device logs in; theirs doesn't so they figure it's a bug and go click the other one. Now you're both logged in.
If you require the session to be logged in by the link directly, it ensures that only the device you're viewing the e-mail on gets signed in; in the above scenario, your malicious session is never logged in, but their legitimate one is.