PayPal redirects you to a PayPal site (hosted on paypal.com, UX controlled by PayPal) to enter your payment information, and then redirects you back to the merchant once you're done.
Stripe supplies a script that merchants embed and style themselves. In theory the script sends the payment info off to Stripe directly for tokenization... but the user has no way of knowing that the merchant site didn't sniff it, or even that the script was used at all.
Why would the merchant site need to sniff anything? Once a customer has made any purchase, the merchant then has direct access to charge their cards from the Stripe dashboard. That's why it is a huge responsibility to use these services.
Yes, that's another problem with Stripe. PayPal also requires you to verify the charge in their UI, with the amount shown.
But a Stripe token (as implemented correctly) is still not quite as powerful as the card info itself, since it can only be reused with Stripe by that merchant.
Stripe supplies a script that merchants embed and style themselves. In theory the script sends the payment info off to Stripe directly for tokenization... but the user has no way of knowing that the merchant site didn't sniff it, or even that the script was used at all.