Custom ROMs do not work with remote attestation (typically), so that means saying bye bye to a lot of apps, including some banking apps.

please research before spreading missinformation. the specific gsi rom passes strong out of the box

Saying that custom roms typically fail attestation is not spreading misinformation, it is very correct, and google is closing the door on it fast.

It's possible that this one random rom that you mentioned passes it today, but it might not pass tomorrow.

lol that is not how that works. it is client side. they cannot do anything to block it.

They certainly can. Since Android 8.0, apps can check if a key is stored in a hardware-backed store:

https://developer.android.com/privacy-and-security/security-...

This works by signing an attestation using a hardware-backed key (which is in turn signed by Google). So, there is no way to emulate this in software, because your ROM simply does not have the private key to do so. Part of the attestation is information on whether the booted operating system was signed:

https://source.android.com/docs/security/features/keystore/a...

Again, since this is all hardware-signed, you could only fake this information if you were somehow able to extract the private key from the secure element. The primary weakness is that you could try to patch out the part of the application that asks for this attestation. But they found a solution to that, remote attestation. Instead of the app asking for the attestation, e.g. Google's servers or your bankcan ask for the attestation and for the reasons outlined above, your custom firmware is not able to fake this. If your bank, etc. implemented remote attestation, you can simply do not do banking on your phone anymore.

you patch the part of the OS deals with the attestation.