MPC-TSS seems fundamentally broken. The user's backup shard:

- Is either in the hands of the provider, giving them custody (2/3).
- Or requires the user to securely store an encryption key, essentially providing the same experience as a seed phrase.

Every embedded wallet seems to use this approach. What am I missing?

Check out the demo for Coinbase’s new smart wallet. You get the upside of an embedded experience (no apps to install, instant creation) and it’s all tied to your passkey, fully self sovereign and portable, no complex mpc setups to think through. keys.coinbase.com/developers

Coinbase Wallet - Making it easy. Check it out https://keys.coinbase.com/developers

This is very nice! I do think passkeys are the best way to do embedded wallets. 

Is the passkey is used to encrypt the actual ECDSA signer key hosted by Coinbase? How can I protect against Coinbase losing or censoring the actual key?

This is an awesome question. It depends on what trade offs you want to tolerate. 

For example with passport, we make sure the user has no shares but all the network nodes run enclaves + MPC so the key is still distributed + non custodial