Does this include a way for a technically-savvy user to 'repatriate' their passkeys into their own infrastructure? (i.e. If I want to be my own provider)
The exchange spec suggests that the sending secure enclave sends encrypted credentials to the receiving secure enclave; they're never unwrapped in public between 'trusting' enclaves; which enclaves will trust each other enough to perform the credential transfer is another question.