This doesn’t stop the scheme the parent proposes, where adults install some proxy on their device and challenges are responded to on the parent device. Then the private key never leaves the parent device and all the child device has is the proxy software, which could be set up to not log any identifier of the key that it used