My reply is late as I did not have chance to test passkeys on Ventura in conjuction with iPhones to full extent, as the VM I installed Ventura Beta in did not support BT. Which is required to complete a passkey registration using the option "on iPhone or iPad".

Now Ventura has been released and I was able to test and the result forces me to correct myself. What I thought would be the ability to store a passkey on the iPhone only appeared to be rather senseless: although the smartphone is used to create and register a passkey that key is shared by iCloud keychain nevertheless. After completing a registration of the passkey using a mac and an iPhone the resulting passkey was synced to the mac immediately and usable there without the phone.

Which does not make sense if one registers a passkey within macOS Safari using that option as one can rely on macOS without the iPhone to do that with the same result: a keychain-shared passkey.

Maybe it is there to support other browsers on macOS like Chrome or Firefox which do not have keychain access.

So I got fooled by seeing the option "Create on device" and guessing that this allows to restrict the key to that device.

I agree that the keychain passkeys have lesser security than those on security sticks (both key security and key attestation arguments are valid here). But as they are more convenient to use it may cause more offers on the net to register those keys and use them instead of passwords - which will support security stick users as well. As for now I am aware of four offers only to use passkeys, two of them being within software "on premise" (which for my purposes means at home): Google, Github, Gitea (an on-premise source code management system like github) and Synology DS. Only the latter two allow the use of passkeys instead of passwords, whereas the former support it as second factor only.