Yeah but the downsides of passkeys make them so much worse anyway.

Well mine pops up a big warning if you try pasting when the domain doesn't match it so at least it would force you to take a second look. Also all the real world services that I use half past keys as 2fa which I also store in the password manager

Exactly. All these ideals work in theory but then in reality banks are also incompetent and will use all kinds of domains.

Same with meta and Google where they often direct you to domains that aren't under their main one and it's actually legit, but there's no way to know. It's impossible to teach family members to pay attention if it's really that domain because it's often legit not that domain.