A proof-of-concept using malicious extensions to intercept WebAuthn calls highlights the need for tighter browser controls.
