I'm saying that as long as websites use the username/password model alongside passkeys with no way to turn off the former, you're just as at risk of phishing with passkeys as I am with domain-bound autofill.

Either one of us would have to choose to manually copy our logins into a phishing form in order to get phished.