I think with the "X can be phished" argument, there is a massive tradeoff to keep in mind: Everything where you as a user have direct access to the key can in theory be phished. So the only way to make credentials unphishable is by hiding the key from yourself and entrusting it to a third party, in the way that passkeys work. However, now you're entirely dependant on that third party. The question is if, everything considered, this is really such a big security improvement for you.

I think an alternative approach would be to accept a certain risk that credentials can be stolen and improve the ways in which stolen credentials can be revoked.