[peterwwillis]

Well their main use is to mitigate remote compromise. But I suppose if for some reason someone compromises a private key remotely (???), they don't have your physical 2nd key to complete auth. Or if you want encryption at rest with something stronger than a passphrase. For weird cases like "disk backup was compromised" it also helps, because most people don't encrypt backups at the client. But in general, actual protection seems vanishingly small past remote attacks.

So I think in general private keys aren't improved with a token, since a compromised private key is supposed to be a local compromise.

[32032141]

I don't really see a situation in which someone has local file read access on your machine, but doesn't otherwise have you completely owned.

[dcbadacd]

A regular keylogger won't no longer work with a hardware token for example. Yes, having your PC compromised is bad but it would be even worse if the keys can be stolen and used elsewhere, it just rises the bar significantly for getting persistent access (re-establishment without the token is really hard) in my opinion.