The threat vector for your passkeys being stolen is the same as current passwords, that's true (because they're just in some syncing database), but it solves many issues that are the leading cause of account compromise these days, mainly phishing and reused passwords.
So, for me, there is no real upside, other than not needing to click "generate password" in my password manager.
What downsides are there? E.g, will it work on rooted phones? Will apps start adding mandatory pin numbers on top (like they do for biometrics), or will Google/Apple's app stores disallow it? How do I "log out" to avoid tracking without being implicitly logged back in? What happens if I routinely wipe my browser settings? Can I use some other person's computer to login in a pinch? (Such as when my phone is off network?)
In principle, browser and os vendors could work through all these "niche" use cases, but I'll be pleasantly surprised if they actually did.
