Practically speaking yes, the OS (and further down the TPM/enclave) will be the root of attestation. Google here is starting with Google Play Integrity (previously known as SafetyNet), which is an OS-level attestation authority. On Windows, this attestation would probably be done via TPM/Secureboot and Windows integrity APIs.

That's what's scary about it, because it has the potential to make large parts of the web inaccessible unless you have a signed and sealed OS layer and browser to browse it with.