But a software password manager on a compromised computer can be compromised, right? It feels like the secrets can't be extracted by a compromised computer: the attacker needs physical access to the Yubikey.

This sounds better than a software password manager, right? Or am I missing something?

Definitely, but GP mentioned

> [...] phishing, which is the attack the 99.9% of us have a practical reason to worry about [...]

Both physical and software authenticators protect just fine against that.

But lesser convenience and with more hassle.

You're right: a physical security key is a lesser convenience with more hassle than a personal password manager in my case.