Yes. In WebAuthn every single time you enroll on some web site with this system, a completely random new private key will be generated and the site will be given the corresponding public key and a fresh magic "cookie" identifier that serves no other purpose.
Your Apple device remembers the association between this particular web site, any user ID the site said is relevant (e.g. maybe the username mrwnmonm and friendly name "Shiny Steve") the cookie, and the private key.
On subsequent visits either of two things can happen:
1. You tap some sort of easy-one-touch login button. The Apple device says "Hey, sign in here as mrwnmonm / Shiny Steve?" and you use your touch ID to prove you are still you, this unlocks the private key, Safari uses the private key to create a proof that you still know that key, attaches the proof, and the cookie. The site recognises you must be Shiny Steve and you're in.
2. You sign in "normally" (e.g. with a username and password) but then as a Second Factor the site shows the Apple Device the cookie it remembers, your device recognises this cookie and prompts you for a touch to prove you are still Shiny Steve, whereupon it uses the private key to sign a proof and send it back to the site.
Because the keys are different on every site even if two web sites deliberately work together to try to figure out if a user on one site is the same person as a user on another site, WebAuthn doesn't help them do that at all.
Also unlike passwords or most other schemes, there's no risk from mass data loss because the web site is storing public information. If a "dump" of every Facebook WebAuthn public key was made, that's essentially useless to everybody except Facebook anyway, whereas obviously a password dump or a dump of all the TOTP secrets would be a huge security problem.
Your Apple device remembers the association between this particular web site, any user ID the site said is relevant (e.g. maybe the username mrwnmonm and friendly name "Shiny Steve") the cookie, and the private key.
On subsequent visits either of two things can happen:
1. You tap some sort of easy-one-touch login button. The Apple device says "Hey, sign in here as mrwnmonm / Shiny Steve?" and you use your touch ID to prove you are still you, this unlocks the private key, Safari uses the private key to create a proof that you still know that key, attaches the proof, and the cookie. The site recognises you must be Shiny Steve and you're in.
2. You sign in "normally" (e.g. with a username and password) but then as a Second Factor the site shows the Apple Device the cookie it remembers, your device recognises this cookie and prompts you for a touch to prove you are still Shiny Steve, whereupon it uses the private key to sign a proof and send it back to the site.
Because the keys are different on every site even if two web sites deliberately work together to try to figure out if a user on one site is the same person as a user on another site, WebAuthn doesn't help them do that at all.
Also unlike passwords or most other schemes, there's no risk from mass data loss because the web site is storing public information. If a "dump" of every Facebook WebAuthn public key was made, that's essentially useless to everybody except Facebook anyway, whereas obviously a password dump or a dump of all the TOTP secrets would be a huge security problem.