Most attacks are remote, not involving physical access to a specific (compromised) device. Think a compromised website exposing 1000s of peoples passwords, and trying those passwords against other services. For that threat vector, it is more secure.
The way I would look at it is if that threat concerns you, don't use it for high-value accounts (email, bank, etc). Still is probably worth using for all those other low-value accounts; if an attacker has your phone, and has broken in to it, them having access to your Netflix account is probably the least of your worries.
There are hundreds of phones stolen by the youth with hoods and stolen e-bikes in London each day. If they grab your phone in the seconds before it locks your screwed. That’s my biggest concern!
The passkey provider should require either a PIN or biometrics each time it is authenticating you against a service. So it won’t matter if your device was unlocked when it was stolen
The way I would look at it is if that threat concerns you, don't use it for high-value accounts (email, bank, etc). Still is probably worth using for all those other low-value accounts; if an attacker has your phone, and has broken in to it, them having access to your Netflix account is probably the least of your worries.