It was perhaps not phrased that well. I meant that it would prevent passkeys from being used on user-controlled systems at all, since there wouldn't be a way for a passkey implementation to hide the attestation key from the user if the user can perform arbitrary modifications to the operating system. It will end up exactly like one of these DRM schemes, where you can't watch more than 720p videos on Linux.

Remote attestation in general is a backdoor to software freedom and ownership bestowed on you by free software, in the same way that tivoization is. Tivoization prevents you from running a modified version of the software on the same hardware, while attestation discriminates against you for running a modified version.

I do agree we should have repurposeability, but that's mostly independent of this attestation topic, IMO. I also think the tradeoff between security/privacy and freedom is greatly overblown. There is some, but giving the user an adb root shell or ssh server with key will not significantly decrease security of the user on Android. (It might reduce the security of the apps against the user, but it shouldn't be there in the first place). I'd be fine with not having app store access if it isn't mandatory for daily life, but that's not the case in our world.