This is already what is happening with SafetyNet on Android. For now most applications don't require hardware attestation so you can pass by spoofing an old device that didn't support hardware attestation but I'm sure that will change within a decade.
Being able to trust the security of a client can protect against many attacks and it is up to web sites to evaluate what to do with into information that a client is proven to be secure.
So the server is wildly insecure and wants to make it my problem.
Take for example a simple spam bot. The bot authenticates and then starts sending spam to people. Detecting spam and spammers server side is an imperfect art. It is a constant game of doing things to reduce the rate of spam. It can help a lot if you can ensure that only your client is able to work with your service. This means that attackers can't just write some python script and deploy it somewhere. They have to actually be running your app and actually liking the content in the app. This increases the costs for attackers and reduces the amount of spam.
Both client and server security is important.