Why can't you fake remote attestation? I imagine it's a bit more involved than swapping a user agent but is there some magic mechanism that makes it impossible to spoof?
Maybe not impossible but my understanding is the TPM and the closed source nature of the system level code will make it difficult enough that 99% of users will not be able to do it, which is what industry wants. They're never worried about diehards and hermits. Those people will be confined to their caves & made irrelevant.
That's backwards. It's the diehards (i.e. determined adversaries) they are thinking about. 99% of users are already not doing this stuff. They want a way to continue servicing that 99% and shut out the remainder. That's the whole point.