The attack vector is almost always a password that's too simple, or reused. Passkeys are pub/priv based and not reused. It's a challenge and response auth versus basic auth. The PIN makes it something you have and something you know so adds another layer of security.

I hate Google too but passkeys are sound.