I’m curious why he still carry all those things after he is done with it.

That’s not how Passkey, and the underlying WebAuthn works.

(Highly simplifies but still a bit technical) During registration, your key and the service provider website interacts. Your key generated a private key locally that don’t get sent out, and it is the password you hold. The service provider instead get a puclic key which can be used to verifiy you hold the private key. When you login in, instead of sending the private key like passwords, the website sent something to your key, which needs to be signed with the private key, and they can verify the signature with the public key.

The CXP allows you export the private key from a keystore to another securely. Service providers (Netflix) can’t do anything to stop that as it doesn’t hold anything meaningful, let alone a key (what key?), to stop the exchange.

One is a new technical specification called Credential Exchange Protocol (CXP) that will make passkeys portable between digital ecosystems, a feature that users have increasingly demanded.

I.e. I can copy my key to my friends’ device.

I didn’t say trust no one, but whom and what I trust shall be decided by me. Yes, there are things we can’t just build in our garage, yet there are tools enables us to investigate, and people and organization working on it. Maybe Apple’s take on AI have better privacy then others, but that shall be investigated and proven upon after release, not automatically granted.

I would not give the right of anyone deciding what is good for my privacy, including Apple. This should be a judgement made by myself.