It makes no difference to the user whether the FIDO standard requires biometric authentication, or the server using FIDO elects to require it. In either case his biometric data is now part of the login process, even if only on his phone, and potentially subject to compromise.
But on a different subject, Steve Gibson (Spinrite) spent several years developing a password alternative called SQRL (Secure Quick Reliable Login) which uses a method similar to FIDO2, but is simpler, and offers the user the option of printing out as text or QR code his master key. Each user has only one master key, not one for each site. The elliptic curve private key for a site is a hash of the master key and the site's name, modified slightly to make the hash a valid private key. Since it can be calculated on each visit to the site, there is no need to save each one. Then the public key is calculated from the private key, and given to the website. At login, the usual cryptographic exchange takes place, which verifies that the person logging in has the private key, but without revealing the private key.
There is no third party backup of the master key, and no third party involvement in the login. Since each user has a written copy of his master key, recovery from lost or dead phones, or transfer to new devices, is straightforward. Access to the master key on the device is available only after the user logs into his SQRL app - in whatever manner provides the most security the user can tolerate, which may be very little, at the user's option.
My understanding of FIDO2 is that a separate random key pair is generated for each site, which means that a user may have hundreds of them. And FIDO2 does not allow the user know them or to make a copy of them. That means that Apple, if it chooses, can limit transfer of the keys only to other Apple devices, which would make it impossible to switch to an Android phone. Do we know yet what the major players' intentions are in this regard? Are we going to have FIDO2 silos?