If they use MITM, that will include themselves. A password manager doesn't try to log in for you. But most passkeys managers are MITM. At least we can audit OpenSSL code, and we don't have to care about our public keys.