If the user's computer is pwned, you can wait for the user to log in to their bank account, then blank the screen while you send yourself all their money.
WebAuthn assumes the browser is secure. If the browser is compromised, then impersonation becomes possible, so the user, thinking they're authorizing adding a new ssh key on GitHub.com by touching their yubikey, gets their money stolen by the hacked web browser because it has an invisible hidden window with bank.com waiting for yubikey authentication.