That doesn't work for targeted bots. A major benfit of device attestation is to stop the hordes of custom bot creators who try all sorts of ways to make a buck off of your platform such as sms toll fraud, credit card testing, ad fraud, account takeovers, stolen card laundering, gift card laundering, botting for pay for platform / ecosystem benefits, paid harassment, the list just keeps going.
Some aps such as okta, banking, and others already check platform verfication. Websites can't currently until device attestation.
Personally, I hate the concept, but I also hate spending a large amount of time fighting mal-actors on my platform in a completely unbalanced fight. There are tons of them, and they have all the profit incentive. There's a few of us, we only take losses. They can lie all they want, we can't really trust any facts except kinda the credit card and the device attestation.
Like everything, it's a shitty compromise, but, as a platform runner, if I can leverage google's signal and cut 95% of my malicious botting users, guess what I'm going to do.
Attestation is extremely ineffective at preventing this because it requires attackers be unable to compromise their own devices, even when they have permanent physical access to the hardware and can choose which model to buy and get devices known to be vulnerable.
For example, CVE-2026-31431 is from only a week ago. It's a major local privilege escalation vulnerability. If you can run unprivileged code you get root. How many people have Android phones that can pass attestation but will never see the patch because the OEM has already abandoned updating them? Tens of millions, hundreds of millions?
Attackers can trivially get root on a device that passes attestation. Many devices even have vulnerabilities that allow the private keys to be extracted.
The main thing attestation actually does is beset honest users who just want to use their non-Android/iOS device without getting a million captchas, because they chose the device they wanted to use as a real human person instead of doing as the attackers do and choosing a device for the purpose of defeating the attestation.
And it's easy to confuse this with real effectiveness because whenever you roll out any security change, the attacks may subside for a short period of time as the attackers adapt to it. But that's why it makes sense to avoid things that screw innocent people or entrench monopolies -- while the temporary effectiveness wears off, the screwing becomes permanent. Meanwhile spending the same resources on any other method of shuffling things around to make them adapt will give you the same temporary effectiveness without hurting your legitimate users.