The problems highlighted in the first section are optional however. Forcing a particular authentication / device attestation method isn’t a passkey problem, it’s a provider problem. They are free to do that today with or without passkeys. Equating passkeys = bad because of that feels harsh; it is like any scenario where bad actors behave badly with any given technology.

Doesn’t the post conclude the opposite however, that you can in fact manage your own passkeys outside of any “big tech”?

I think one important detail the author missed is that passkeys are in most cases not a sensible replacement for a password. They can act as a convenient semi-permanent replacement or second factor, but you will always need a mechanism should the passkey, or device be lost, which will be a traditional password or account recovery.

If parties do not trust your particular passkey provider / system then you lose that convenience, but the spec does need someway to handle obviously flawed or broken client implementations. If all your passkeys are hanging out in plain text without a pin/biometric/other key gating their access, they are all compromised and should be rejected.