Only way to upload sensitive data is to encrypt it yourself, while handling all the secret key material yourself, and then upload the result. You can't trust the website, when it has access to the secret key, regardless of whether it was derived from FIDO2 HMAC or whatever.
Deploying a malicious version of a given webapp is still harder (and much more visible) than just silently dumping a backend database, so I'd trust an implementation that client-side encrypts my data using PRF and passkeys significantly more than one just uploading everything in plaintext.
Huh? But that’s the entire point. The website only knows your public key. The encryption happens locally, within the secure code of the authenticator, far away from the website.
The decrypted data is stored in a JavaScript variable. The JavaScript is under full control of the website owner. Adding telemetry to a website is pretty easy.
It would simplify website operations and eliminate some kinds of security bugs, though.
Well, okay, sure. But everything that is exfiltrated happens in plain sight, since all crypto operations are performed client-side. This offers way better guarantees than plaintext or SSE for many use cases IMHO.
No it does not. Website knows the secret key, it just is not supposed to store it (user has to trust that the website stores just salt and not the derived secret key):
Only way to upload sensitive data is to encrypt it yourself, while handling all the secret key material yourself, and then upload the result. You can't trust the website, when it has access to the secret key, regardless of whether it was derived from FIDO2 HMAC or whatever.