Is it possible to revoke or change a passkey so a user can unshare a previously shared a passkey with someone.
Revoke/change a passkey
Passkeys are standard WebAuthn credentials, and follow the revocation rules defined in the WebAuthn spec. To rotate a WebAuthn credential, you can trigger a new registration with the same userID as the existing credential. This will generate a new public/private key pair that overwrites the existing one on the user's devices. Then your server should stop accepting signatures using the old public key.
If someone knows the userID, what's stopping them from registering with the targets userID...essentially taking over their account?
When revoking/rotating a passkey, there are two sides: locally updating the passkey on the user's device(s), and updating the list of accepted public keys on the server backend. This is equivalent to updating a user's password in their password manager, and updating the password hash on the backend. Knowing a userID for a passkey-based account is comparable to knowing an email for a password-based account.
My above answer refers only to local side. When a website or app triggers a new registration on a user's device, and the relyingParty+userID passed by the site/app matches a passkey on the device, that passkey will be overwritten in place (i.e. just like updating the password in their password manager). Independently from that, the site needs to store the new public key for the account on the backend. Just like updating a user's password hash, the site should require authentication before updating a user's stored set of public keys.