Broadly speaking, the private keys can be protected.

For ssh, ssh-agent can retain the viable form for convenience while leaving the ssh key passphrase encrypted on disk. Beyond that your entire filesystem should be further encrypted for further offline protection.

Passkeys as used in webauthn are generally very specifically protected in accordance with the browser restrictions. For example, secured in a tpm protected storage, and authenticated by pin or biometric.