The comments are full of statements regarding security capabilities for passkeys. But there is no public specification that even defines requirements for the exchange of passkeys between devices. Google and Apple make statements on their websites regarding the security, but all of it is practically unverifiable. Please note that end-to-end encryption is useless, if you are not controlling all the endpoints.
Sites of course could use the device public key extension of the WebAuthn protocol, to rely on more than a private key copied intransparently between devices, but I wonder, who will even know about it and actually use it. Google has stated they support the extension, but I cannot find a statement by Apple. A question whether DevPubKey is supported by Apple is unanswered on the Apple Developer Forums.
It is telling to me that the passkey spec has provisions for attestation which will allow lock-in by providers and lock-out by websites based on your provider, but questions of backup, account restore and interoperability between providers receive some hand-wavy "the market will figure it out" response.
Sites of course could use the device public key extension of the WebAuthn protocol, to rely on more than a private key copied intransparently between devices, but I wonder, who will even know about it and actually use it. Google has stated they support the extension, but I cannot find a statement by Apple. A question whether DevPubKey is supported by Apple is unanswered on the Apple Developer Forums.