It gets better. With malware on the box you own the primary refresh token, which can mint new browser tokens without needing passwords or MFA.

Definitely use FIDO2, but understand that it's not foolproof. Malware, OAuth phishing, XSS, DNS hijacking, etc. will still pwn you.