Can’t phishing be avoided with something like passkeys?

Yes, they’ll get username and password, but won’t be able to challenge for 2FA.

Also, perhaps using PWAs on something like GrapheneOS can mitigate a few more.