CTAP defines an extension called credProtect which restricts when credentials on security keys may be used. Support for it is required in some cases and thus it is widely supported by security keys.
Chromium will request a protection level of userVerificationOptionalWithCredentialIDList when creating a credential if residentKey is set to preferred or required. (Setting requireResidentKey is treated the same as required.) This ensures that simple physical possession of a security key does not allow the presence of a discoverable credential for a given RP ID to be queried.
Additionally, if residentKey is required and userVerification is preferred, the protection level will be increased to userVerificationRequired. This ensures that physical possession of a security key does not allow sign-in to a site that doesn't demand user verification. (This is not a complete protection; sites should still carefully consider the security of their users.)
If an explicit credProtect level is requested by the site, that will override these defaults. These defaults never cause the protection level to be lower than the security key's default, if that is higher.