alt Hacker NewsAs far as I know, root and tap to pay are pretty much mutually exclusive, at least if you meant Google Pay? Unlocked and rooted devices do not pass remote attestation. And it's not just something you can fake when you have root, since it is anchored in hardware (the attestation certificate chain is signed by a hardware-backed key and contains the verified boot state and verified boot key).
I can tap to pay with google pay on my rooted pixel while the spoof key isn't blacklisted, IIRC it uses dumped credentials extracted from other devices but I can reliably spoof Play Integrity and SafetyNet. It would be nice to not have an adversarial relationship with my things for once.