An authenticator can optionally store a User Handle specified by the Relying Party when a new credential is created, however for backwards compatibility with U2F authenticators the User Handle is also allowed to be null. Regardless, the Relying Party still needs to know which credentials are associated with each user, so that it can verify the credential used is actually owned by that user, and not someone else:
Identify the user being authenticated and verify that this user is the owner of the public key credential source credentialSource identified by credential.id:
If the user was identified before the authentication ceremony was initiated,
verify that the identified user is the owner of credentialSource. If credential.response.userHandle is present, verify that this value identifies the same user as was previously identified.
If the user was not identified before the authentication ceremony was initiated,
verify that credential.response.userHandle is present, and that the user identified by this value is the owner of credentialSource.
So to answer your question, the Relying Party must associate credentials with users, and authenticators may associate credentials with users.
Due to the possibility of lost authenticators:
Relying Parties SHOULD allow and encourage users to register multiple credentials to the same account.