Apple already shipped attestation on the web, and we barely noticed

I kind of get both sides here. If we take the "see the best of others intentions" then a web that is populated by identified humans (and their authorised proxies!) is likely to be the "cleanest", most ideal web space we can see (a web full of sock puppets and link farms is not ideal).

The clearest end point for this is some government issued digital ID that just asserts who you are, acts as a login etc.

You can see this as a stepping stone to there. if you squint.

Is it the idealism of the 70s coke to life? No. Is it some sane compromise - I think so.

What if we cannot trust our government ? Sorry it is pretty sure that no internet is going to solve that. That's on the real world.

Whether this is bad or good really depends on the details and the overall strictness. It seems like none of the articles I've seen on the subject go into depth explaining what makes a device "legitimate."

This could be a really good thing if all it's doing is proving that your device isn't malicious, or being better able to detect whether you are a bot. If our end-user experience doesn't change but we stop filling out CAPTCHAs and seeing Cloudflare bot checker load screens, that would be a big plus.

This could be a really bad thing if it means that the web now will just widely reject alternative browsers or computers that have elevated administrative permissions.

I think if we want to see how this plays out, we can look at the Google Play store. A common example that already exists is that banking apps will block rooted Android devices, and it sounds like this attestation API will have the ability to do something similar.

In my opinion, that situation seems perfectly reasonable, and it also seems like most websites don't have the same incentive to block modified devices as higher security services like banks.