Attestation information requires that at least 100k security devices share the same attestation key, so device information can't really be used to track a given user. The proposed devicePubKey extension that helps RPs reason about which device is authenticating with a given Passkey scenario also requires domain-specific DPKs, meaning multiple identities using the same authenticator are indistinguishable as far as WebAuthn is concerned.

Of course, other signals like origin IP or browser fingerprinting can be used to correlate identities.