I don't know what a service provider is in this case for sure, but I'll assume you mean something like Google Password Manager or iCloud Keychain or 1Password.

There's no guarantee that they will act in a user-beneficial manner, except they all already exist and already act in a user beneficial manner, and that there is no strategic benefit of acting in a user-hostile manner.

> With passwords, there is no way for the service provider to hide the cleartext password from you

Sure there is. They could refuse to do anything but form fill the passwords on registration and authentication pages, where the field in the browser will not allow you to copy the password back out.

The force that keeps them from doing such user-hostile behavior for lock-in today is that nobody would want to use that system. They would not use that vendor. It would be product suicide.

> effectively locking you into their ecosystem, and there is nothing you could do to avoid this.

Unlike passwords, sites are encouraged to allow you to register multiple passkeys. Some sites may push the user to do this for convenience, such as if they see user utilizing a security key or phone to authenticate into their desktop when the desktop is capable of doing passkeys directly.

This gives a whole new ability to jump ship if you decide you don't like your software vendor.

Now, there is a parallel question of "what if a vendor uses their monopolistic power to prevent an ecosystem from being created, and then acts in a user-malicious manner". I suspect they would quickly get multi-national scrutiny.

WebAuthn is a standard. From what I understood, can use any third-party authenticator like a YubiKey instead of Google's implementation.

> can use any third-party authenticator

You can, but most people won't because they will be locked-in, this is not the case with passwords as it's quite easy to change password manager without having to reset all your passwords.