The position of GrapheneOS is that attestation shouldn't be used to restrict people to an allowlist of hardware and operating systems. It can be used to without forbidding them from using what they want to use. However, if it's going to be used to make an allowlist of hardware and operating systems, then it needs to permit any any at least as secure as what they're permitting to be approved. Instead, they're enforcing Google's business model for licensing Google Mobile Services while not requiring secure devices at all. There's no security value in the current Play Integrity API which permits devices with no patches for 10 years.

Even the Play Integrity API strong integrity level only enforces being no more than 1 year behind on the official Android security bulletins which are 3-4 months outdated at release so that's nearly a year and a half behind of patches. It also has the massive loophole of permitting being arbitrarily behind on patches for earlier Android versions than Android 13, so even the strong integrity level permits a device launched with Android 8 with no patches applied since then. That's not a security check, it's a business model check to lock out alternatives not licensing Google Mobile Services. The licensing terms for Google Mobile Services have been found to be illegal in multiple countries. Google enforcing agreeing to those terms with the Play Integrity API is a truly extraordinarily violation of antitrust laws. Governments are not only failing to act but adopting it themselves. It's going to be looked back on as a massive failure for technology regulation/legislation along with government tech policy beyond that.