The email password reset feature is an overlooked part of modern security. It has become sort of like a master key for every service. Combined with password reuse it becomes really risky (but oh, so convenient).
This approach basically makes all the security provided by the passkeys void, as the whole system becomes no better than login-via-email-link or login-via-SMS-code scheme.
Every time an average user registers to a site with a passkey, they aren’t giving that their reused password that also provides access to their email (I believe that’s the main way email accounts get hacked).
If they registered to their email with a passkey, great.
Either way, passkeys seem to reduce the risk of the email being compromised.
I don't think password reuse is the common vector - I believe the most common one is phishing, where user is tricked into giving up their current credentials, straight for the service that attacker is interested in. But I can be wrong. And, yeah, it is an improvement for sure.
You're definitely right that passkeys drastically improve the bottom line security for the least protected folks (which are probably the majority). It is a step in the right direction, for sure. But they also make things worse for me - someone who uses different random high-entropy passwords for almost everything except local sudo and unlock PIN codes. I want to use PKI instead of shared secrets, but when I try - it's extremely inconvenient, so I know at some point I'll just give up. This, and the fact that my bottom line is not moving up at all - it still remains the same, limited by recovery processes' security - is frustrating.