The specs have moved to describing them as discoverable (usable without an allow list) and not discoverable, requiring an allow list.
What you say is largely true. However, some authenticators like the Android platform authenticator, when making a non discoverable credential will still store the private key, public key, raid and the credentialID in the authenticator. The credentialID is just an opaque identifier to look up the other info.
Some other Authenticators like the Apple and Microsoft platform ones will always make discoverable credentials even if the RP sends resident key discouraged or require resident key false. In those cases, all the key info plus userID name icon etc are stored in the authenticator.
So for non discoverable, it depends on the Authenticator.
John B.