Security is all about risks. Most companies aren’t at the scale of Facebook so the much rely on simple heuristics.
Facebook likely has enough ancillary data to not really even need your password. They’ve seen a bunch of prior usage from a device identical to your current one. Your IP matches known Ip for your session. There’s some cookie on your system that’s associated with you. Perhaps, even Facebook knows the handful of people that ever share WiFi with you.
Essentially, they already know who you are, so they’re willing to take anything that’s close to a known password.
FB think you should be able to login even if you made a silly typo in your password. Historically, they let you log in even if you unknowingly had caps lock on, or had the first character wrongly capitalised.
Maybe they’re stricter on this sort of thing if they think you haven’t signed in from the machine you’re on before. (Would explain the cookie thing.)
FB been doing this for years: https://security.stackexchange.com/questions/214814/why-can-...
Hashing multiple variations of your password every time you login will burn a couple of bits of entropy, but realistically if you're not using randomly generated passwords stored in a password manager you never had much security to begin with. They're just automating something that humans do manually