Enable Browser Integration questions

[RT483b]

So for KeepassXC to do Passkeys I need to Enable Browser Integration and install the KeepassXC Browser Extension, correct?
Well I still need to use KeepassXC for passwords at many sites that do not have Passkeys and I'm concerned about any security issues of enabling Browser Integration.
If I leave all the settings in the Enable Browser Integration-> General and Advanced Tabs exactly as they are shown at,
https://keepassxc.org/docs/KeePassXC_UserGuide#_browser_integration
Will this expose my database to additional risks via the browser side?

[droidmonkey]

If you dont explicitly create from the browser or remember/allow while using the browser extension, then you will always be prompted prior to any entries being exposed to sites.

FWIW, you are far more likely to fall victim to phishing by NOT using the browser extension (ie, using auto-type).

[RT483b]

Thanks for reply Droidmonkey, that sounds reasonable and eases my apprehension about my Password entries.
Also you have any input on Pros and Cons of storing Passkey credentials for each device with KeepassXC instead of a Relying Party OS server. I'm new to Passkeys and still grappling it all, but for years I've always liked all my login data stored locally in KeepassXC. I also keep all my TOTP entries in a separate DB. It appears the big 3 relying party servers backup and share Passkey credentials without the Private Key (of the Passkey) since it's stored on the device enclave or OS TPM respectively.
With KeepassXC is the Private key (of the Passkey) also stored in the device enclave/TPM or in the KeepassXC DB?
My initial impression of Passkeys is that yes it defeats phishing via the credential verifying cryptography. But beyond that it seems to all ride on the access granting Passkey Pin vs biometrics which some sites say some device biometrics are not always consistent depending on light etc.
Appreciate any input or pointers to enlighten me.

[droidmonkey]

Passkeys are stored in the encrypted database file (kdbx) within KeePassXC. With the recent feature upgrade to KeePassDX, you can now also use those passkeys from Android seamlessly. Very nice!

Don't confuse biometrics with passkeys. Biometrics are used for User Presence verification, kind of a "last minute check" to make sure you are the rightful owner of the passkey.

[RT483b]

Thanks for reply, sorry if I worded that badly but I'm not confusing the biometrics. I was attempting to say the combo of the device Pin (password minimum of 4 to some X characters) and/or biometrics (if the device has 100% functional biometrics in all light nuances) is what ultimately prevents a device thief from getting access to your Passkeys.
On surface reading it appears the TPM of a given OS has a superior entropy and brute force protection of the stored Private Key than a Password Manager would. But that would depend on the Password Manager, it's encryption paradigm used, repeat attempt settings stored in the stolen DB file, and random structured length of the DB password.
Admittedly Passkeys defeat phishing via the device Private Key controlling cryptography taking the challenge and returning the correct verifying credentials. But it all still comes down to the possibility of a device thief getting access to the device stored Private Key. A hardware key can be stolen also especially if it's carried out doors.
However it appears brute forcing the Pin or Password to be a monumental task that is not likely for the TPM or a Password Manager, at least with the speed of computers today.
So I guess we could roll the dice or go with a gut feeling or what seems the most convenient Authenticator for creating our Private/Public keys, securely storing, managing and then authenticating our account Passkeys.
The big 3 Tech Giants tout their TPM or Enclave is better secured, including their shared server offerings. But something in me still tends to think having control of that data myself in a capable Password Manager is a pretty darn secure way of using Passkeys. And it offers cross device/platform advantages that sometimes is not always smooth with the Big Tech 3 all fighting for control of all your account activity.
But then I'm still new at understanding Passkeys other than what I can read, including them being kinda pushed as the near future standard. Wasn't that long ago it seemed we were still looking for solutions to store our TOTP secret seed in our possession instead of the foobarred outcomes of the early server backups.