First of all. It is not just a missing last word that has 128 possibilities. Every word has 128 possibilities if it is missing, assuming that no others are also wrong or missing.
That's not quite right. Only the last word has exactly 128 possibilities, since for every final seven bits of entropy the last word provides, there will be exactly one word out of the 16 possibilities which has the correct checksum. When swapping out any other word, since the checksum is already fixed, there will be 128 possibilities on average (as opposed to exactly 128 words), since you cannot predict exactly how many possibilities will hash to the already fixed checksum.
why? why is sha-256 an appropriate choice for a checksum? it was not designed for that purpose. all it has the ability to do is detect errors but not correct them right? so how is that appropriate? not being able to correct a certain minimal number of errors. it can do zero in that regard.
Arguably, you only want error detection and not error correction. The checksum used in Bech32 addresses can provide error correction, but no piece of wallet software implements it. The reason behind this is explained in
BIP173. In short, you don't want an error to accidentally be corrected to the wrong address, resulting in loss of funds.