I think if you are doing it in the browser then you bind the flow to the request origin making it phishing resistant compared to a static, origin agnostic storage

How it's better: automatically synced across all a user's devices, not subject to manual interactions with input fields (you can't programmatically request/regen passwords the same way you can with this).

I did use AI for the ECDSA public key recovery diagram, because I wasn't about to spend hours hand rolling that in Lunacy. It's correct in broad strokes, and anyone who wants to understand it more deeply can just look at the code, imo.