OpenID has been implemented in a privacy preserving way, the provider (e.g. Google) does not know which identity has been signed into, neither does it know which dapps that identity has signed into.
As for security, the implementation relies upon signatures end to end, so security relies upon the trust the user puts in the provider (e.g. Google) to not be compromised. This isn’t very different from users storing their passkeys in e.g. Google Passwords or Apple Passwords, the platform defaults for most passkey users.
To clarify, passkeys are still supported in II 2.0, using OpenID is optional and not required. Users can also link/unlink their OpenID accounts from access methods and switch to passkeys at any time vice versa.
Most issues I’ve seen in the community is regarding the switch to discoverable passkeys, a topic that’s entirely orthogonal to OpenID authentication.
As for OpenID and user adoption, this lowered the adoption friction significantly for dapps e.g. the majority of new Caffeine users use OpenID.