> Can you sketch out for me the benefit of a public-facing service deciding to require passkey attestation? What's the thought process?

A misguided administrator is very likely to think "They can't use a malicious device to access our service".

What's the benefit for a private service?