I wonder about those kinds of exploits that sit on a webpage, but what stops someone from injecting their payload on a sites login page? JS can grab the password in plaintext in such a scenario, at which point the password manager does not save you. Can we normalize Passkey more?
I think the point is that you can have arbitrary website read the browser’s memory so example.com can read the password for example.org and example.net.
Or the computer's memory via Meltdown and Spectre-like attacks
That's why I disable JS by default with UBlock Origin. And OFC never allow JS to acces your clipbaord.