According to their FAQ they state:

Who's holding the keys?

Smart wallets are secured by passkeys stored on the user's device. Passkeys are backed up with passkey providers such as Apple, Chrome, or 1Password, or on hardware such as YubiKeys. Passkey signatures are validated directly onchain via an open source and audited smart contract. Coinbase never holds keys and never has access to user funds.

Won't they still have a private key which must be somewhere? I don't really believe that this is something self-custodial. Did anyone have a deeper look into that already?

I will make new comment but also I agree with your comment below. Anything that has complexity is not good because it is created by developers that do not understand Blockchains, privacy and data security.

Never store very important high value wallet as they recommend always use air gapped hardware wallet completely offline and never connects to the internet.

Also, people need to do their research and pay attention what kind of level of encryption companies use as Coinbase wallet is company backed wallet and they are in control, it is not self custody. Companies today use less and less high level encryption for example many wallets experienced hacks because of this, if a company use 32 bit or 64bit encryption it is reg flag. good encryption is above 128 bit recommended by experts is above 192 bit. Maybe I can make post ask on Musing if people know what level of encryption is their wallet.