and also, the user has to send the cleartext (unhashed) password to the website to login every time, in which case it can be intercepted.

Whereas with public key authentication you don't send the private key, you 'prove' that you have it by performing a challenge typically.