Original comment follows:
In my view, this would just DRM-ize everything on the web. Of course, Cloudflare and Fastly don't talk about this much, and Cloudflare keeps assuring you'll still get captchas if device attestation fails or is unsupported. But realistically, once all Microsoft, Google and Apple implement it in their devices, there isn't much of a reason to keep accepting non-attested devices. You can already see where this is starting to go - if you're using Linux/BSD or another niche OS, congratulations, you can't submit forms any more. And since device verification would become extremely cheap to perform this way, you'd also see websites protected entirely by this tech, effectively locking out Linux/BSD users. The Cloudflare article also talks about how, at least in the case of Apple, they'd run something like a posture assessment to confirm that your device components are genuine. I can also see this new tech locking out users of non-OEM repairs. This is a much bigger deal than what it seems like on the surface, and I'm genuinely scared about how this one simple move dwarfs all of the "evil" things that big tech has done so far.
https://www.ietf.org/archive/id/draft-private-access-tokens-...
> There is nothing stopping the Spam/Bot community from implementing something similar.
I am a full time linux user, but I can guarantee you that if the bigcorps are going through with this it absolutely is going to lock out linux users, because the goal is to stop bots.
Evil.