Your idea works for generic crawlers.

That doesn't work for targeted bots. A major benfit of device attestation is to stop the hordes of custom bot creators who try all sorts of ways to make a buck off of your platform such as sms toll fraud, credit card testing, ad fraud, account takeovers, stolen card laundering, gift card laundering, botting for pay for platform / ecosystem benefits, paid harassment, the list just keeps going.

Some aps such as okta, banking, and others already check platform verfication. Websites can't currently until device attestation.

Personally, I hate the concept, but I also hate spending a large amount of time fighting mal-actors on my platform in a completely unbalanced fight. There are tons of them, and they have all the profit incentive. There's a few of us, we only take losses. They can lie all they want, we can't really trust any facts except kinda the credit card and the device attestation.

Like everything, it's a shitty compromise, but, as a platform runner, if I can leverage google's signal and cut 95% of my malicious botting users, guess what I'm going to do.