I had this same problem with my self-hosted Home Assistant deployment, where Google marked the entire domain as phishing because it contains a login page that looks like other self-hosted Home Assistant deployments.

Fortunately, I expose it to the internet on its own domain despite running through the same reverse proxy as other projects. It would have sucked if this had happened to a domain used for anything else, since the appeal process is completely opaque.