Unlimited! Except for passwordless credentials, which do consume storage space aboard the device. But second factor (U2F style) credentials are stored encrypted on the server, so there's unlimited "space" for them.
For U2F you're right that it becomes single factor if you use the device as the only factor. With FIDO2 (which is what makes passwordless available), however, the device supports a local PIN as the "something you know" factor - and it's also a better kind of knowledge factor than a traditional password since it's never sent over the network.
Care to elaborate on how you mean WebAuthn prescribes that? The GUN explainer videos also seem to assume there's a server involved, so I don't understand what you mean is bad about that.
No, you were right at the beginning. There is no "root" or "real" pubkey. A separate keypair is generated each site, so that - like you said - identities are unlinkable. This is also a crucial part of what makes these credentials immune to phishing.
Web Authentication is part of FIDO2, which is what Microsoft is pushing. Whether you use it for passwordless login or second factor depends on what the server wants and what authenticator hardware the user has.
No - that process _remains_ a pathway for exploits against the particular website being targeted. The process does not open new pathways for transferring exploits from one site to another - on the contrary, such exploits are made more difficult by the separation of credentials.
To be more precise, the PIN is the key that unlocks the keyring (the hardware token) that contains the keys (asymmetic keypairs) to the various kingdoms (websites). WebAuthn is not a single sign-on framework, and there's no "root credential" that's used everywhere.
Oh, maybe I didn't get the entire question. There's no global identity or "root credential" used for all websites. A separate keypair is created for each website, and a keypair for site A is not usable on site B even if site B somehow has the public key.
No third party issues tokens in WebAuthn either - you have your one or a couple of authenticators you use everywhere, and those authenticators create their credential keypairs locally on the device (and a separate keypair is created for each site - they're not shared between sites).