If it's FIDO2, then you don't actually expose biometrics to the site. The verification is done on device and unlocks a key saved in the TPM/secure enclave.
Of course, once Face ID/Windows Hello logins on the web become a thing, web sites may trick users into enabling their regular camera instead, for whatever reason.
Just so it’s extra clear, once the key on your Secure Enclave is unlocked, it then decrypts the repository of passkeys on your drive and then sends that to connect to the service.
Of course, once Face ID/Windows Hello logins on the web become a thing, web sites may trick users into enabling their regular camera instead, for whatever reason.