Indeed, software authenticators are apparently coming too, which goes one step further away from "hardware protected keys". It becomes more and more like passwords handled by managers. While you find this great apparently, I just see the attack surface being slowly widened. Initially it was a key tied to the security chip on the device, then the big vendors began to sync it in the cloud, and now any third party app can generate its own keys and do whatever with it. Before it was secure "per design" while now it's hoping that everybody does a good job at securing every corner of the chain. ...it's not like password managers haven't been hacked in the past, and with the upcoming complexity, we bring it to a whole new level. But well, I'm perhaps just an old paranoid dude.
Olaf
Well you neglect that from what we know now it will most likely become reality that we can backup/sync passkeys across private clouds/backup solutions/authenticator implementations as well. And that makes them really strong for those who want them to be independent of third party cloud provider or vendors. Just like OpenSSH Agent is for decades already and at least I was always wondering why not brining something similar to websites (actually using just that would have worked too but WebAuthn has some extras which I would not need but which are okay I guess).