It sounds like part of the problem is that two rather separate standards of "phishing" are getting conflated:

1. "Hi, I'm your bank, log in just like you normally do." (Passkeys immune.)

2. "Hi, I'm your bank, do something strange I've never ever asked you to do before by uploading some special files or running this sketchy program." (Passkeys just resist.)

The problem with the expansive definition is it basically starts to encompass every kind of trick or social-engineering ever.