Support more than 5 FIDO2/WebAuthn keys for 2FA

In fact, the option Use for vault encryption seems to be enabled by default for new passkeys.

That depends on the implementation, e.g. if the data is encrypted multiple times. But you are right, normally this should happen only on the client side. However, this could still be the reason for a limit like the warning when changing the number of KDF iterations.