WebAuthn typically uses two factors when you are relying on the authenticator for primary authentication. One is possession of the authenticator, the other is biometric or a PIN.

If someone "steals" your fingerprint or your PIN, they still have to seize your key fob/phone/laptop.

The biometric data or PIN does not leave the authenticator (although the browser/OS may be responsible for capturing the PIN for a key fob with limited input capabilities).

The devices also have security and biometric testing/certification, so users who are concerned about the data being hacked or leaked from that device in your possession can look for a certain certification level.

Yes, it is unlikely that a pure biometric as the sole factor with remote verification would ever be secure enough to be a single, lifetime authentication method. It would require a zero knowledge challenge/response against some biological process, with no false positive/negatives (even in cases of family members/twins with similar features/DNA). There's also legal reasons I'd want to stop being identified as that person (witness protection program being the one that jumps to mind).

It's far more likely we would go from wearables to implanted hardware, which would still be a two factor authenticator.