But it's not more secure than password auth. My passwords are not guessable, by anyone. Period. You are assuming passwords are guessable; they are not. They are not reused. They are not crackable. It's utter bullshit that an SSH key pair is more secure than passwords done right.
"But what about a keylogger / what if your password manager is compromised / etc." if someone has root access to my machine and can read my encrypted documents or log my keystrokes, the game is up for an SSH private key as well. There's no reason to say my SSH private key sitting on my hard drive is more secure than my GitHub-specific password sitting (encrypted) on my hard drive.
SSH key pairs are more secure on average because passwords are used by everybody and SSH key pairs are used by security nerds. That's it. That's all there is.
"But what about a keylogger / what if your password manager is compromised / etc." if someone has root access to my machine and can read my encrypted documents or log my keystrokes, the game is up for an SSH private key as well. There's no reason to say my SSH private key sitting on my hard drive is more secure than my GitHub-specific password sitting (encrypted) on my hard drive.
SSH key pairs are more secure on average because passwords are used by everybody and SSH key pairs are used by security nerds. That's it. That's all there is.