lj·rkIf you claim that this scheme "uploads your secret key", then by the same reason password auth uploads the shared secret to every hop b/w you and the authenticator. Which, yes, but it's encrypted using TLS: Your ISP cannot read the password.
Additionally, this is actually nothing that's related to Passkeys. It's just how synched Passkeys are commonly implemented. You don't *need* to sync discoverable Passkeys, it's nowhere in the spec. KeePassXC allows you to not sync Passkeys.
Either way, they are more secure simply in the same sense that SSH Keys are more secure than SSH Passwords. It's absolutely insane that we now, finally, have proper public-private-key auth in the Web and the same people claim it's insecure while themselves using SSH Keys. It's the freaking same thing, just for Web!
To drill this down: The major point against attacks is not that the secret is safely stored in a physical key. It's that the authentication isn't based on a shared secret. And that's what happens here.
Optionally(!) syncing Passkeys doesn't make this less secure, since they are encrypted before they even leave the device. And this is the same for synched passwords managers.
If you don't sync, you don't have either. It has *nothing* to do with Passkeys.
All GNU social JP content and data are available under the