There is a fundamental tension here though - suppose DMA or something requires that online providers recognise reCAPTCHAs from non-Google-attested OS builds. What OSs can they safely trust?

Only ones that are difficult for fraudsters to use to generate bogus traffic. Whether or not those builds come from Google, they are inherently gonna be pretty constrained OSs. It's not gonna let you spoof your location or simulate user input.

I do think it's a problem if only Google can provide these attestations but even if that organisation problem is solved there is still a fundamental technologic problem here now that humans can't be detected by their ability to solve puzzles any more.

Exactly. Imagine them blocking captchas on iphone or windows