One thing the article doesn’t make very clear is that for 2FA the PIN requirement comes from the site itself. If the site requires User Verification, the PIN is required. If not, it is not prompted even if set and this attack is possible. The response to the site just says they knew it.

It is different for Passkeys. They are stored on the device and physically locked behind the PIN, but this is just an attack on 2FA where the username and password are known.

It also seems limited in scope to the targeted site and not that everything else protected by that key. That limits how useful this is in general, which is another reason it is sort of nation-state level or an extremely targeted attack.