Passkeys tied to actual hardware, like the TPM-based solution in Windows Hello, whenever possible, Keepass where not.
Keepass DB cloud synced, but the passkey file I use in conjunction with a p/w to open it never leaves the machine(s) it's on. Also, key file needs Admin rights to read, so KP is run privileged, which also protects its process memory space from user-land snooping.
Even better than the TPM in Windows is a hardway FIDO2 or OTP key, I'd imagine. Those cannot be comprimised by a virus on your PC in the same way, assuming you don't leave the key in at all times and you only tap the button when explicitly logging into something that would require it.
Keepass DB cloud synced, but the passkey file I use in conjunction with a p/w to open it never leaves the machine(s) it's on. Also, key file needs Admin rights to read, so KP is run privileged, which also protects its process memory space from user-land snooping.