That said, there are countless mobile devices with locked bootloaders and and boot integrity attestation that will never run anything other than OEM OSes. That's equivalent to a locked Secure Boot + UKI-like system on PCs and it's already here.
You mean right now? At a firmware level, the scope of "trusted computing" is expanding with every passing year.
> close the ecosystem they created any more than Microsoft was allowed to.
We are in the process of allowing Microsoft to close the PC platform. TPM is required to run Windows now. Nearly every new PC ships with "secure boot" enabled, adding a new technical barrier to escaping Windows that didn't exist before. Remove that toggle from the BIOS, and you now effectively have a vehicle to Windows-only PCs.
All modern PCs ship with Pluton coprocessors. The end-to-end remote attestation hardware infrastructure is all already there, waiting for someone to flip a switch and turn it on.