I don’t understand what you mean, sorry. If you are manually copying a password, then you are not using passkeys? There is nothing to copy/accidentally leak with passkeys.
I guess it will be a while before passkeys are the _only_ option that websites accept
I'm saying that as long as websites use the username/password model alongside passkeys with no way to turn off the former, you're just as at risk of phishing with passkeys as I am with domain-bound autofill.
Either one of us would have to choose to manually copy our logins into a phishing form in order to get phished.
I guess it will be a while before passkeys are the _only_ option that websites accept