Yes, this is true, however, that means an external actor is able to execute arbitrary code in your origin, so they could also trick the user into signing malicious payloads with even the native passkey itself. There's more downside to exfiltration here, but having arbitrary code from an external party executing in your page is a more general cause for concern you'd need to mitigate regardless.