This, but notably also: the hardware attestation API will report a device as fully locked down and secured even when a device is infected with a sophisticated-enough piece of malware. Plus, in the past manufacturer keys have leaked but keys have not been revoked.

Hardware attestation is quite useless when a device that hasn't received a single security update in four years is considered safe, but a locked-down ROM implementing everything Google has invented and more is considered dangerous.