The scary part is not about losing her phone. It's about having to keep the old, no-longer-secure Android phone alive just for passkeys after getting a shiny (and secure) new iPhone.
I have 531 logins for varied websites and services. Would you enjoy having to change 531 passkey devices? Me neither. But default login flows in all these sites prompt you to use your current device as passkey by default, so people who don't know better (i.e. a general "everybody") are being gently pushed to do so.
No, which is why there is the cross platform standard CXF which allows for cross platform sharing of passkeys. Apple has announced that support for this is shipping later this year with iOS 26. Google hasn't announced when they are shipping it yet.
AFAIK, there is no requirement for websites to support multiple passkeys nor, if they do, to support them in a sensible way. Some sites do this well, most don't.
