The worst thing about passkeys is how browser extensions must handle them: using JavaScript injections to the web page. Of course this means _any_ browser extension could do the same and be the man-in-the-middle inspecting the passkey creation and authentication.
I'd be glad to have some kind of standard API behind a proper permission for handling passkeys.
replies(1):