Good reason to get a Yubikey or similar, and use it to generate WebAuthn‐based SSH keys that can’t be used once exfiltrated. (“ssh-keygen -t ed25519_sk”)
Yes, but once an attacker has root on your systems they may well install something that captures that passphrase so a chunk of hardware that you have with you would seem to offer some extra protection.