I feel this is the bit that's going to be hand waved away for the sake of convenience.
I also wonder what those certain baseline requirements are going to be? Weird that they're left ambiguous.
It's probably nothing to worry about. We have a ton of precedent with Widevine that "it's okay, we'll license to anyone who meets requirements" wouldn't ever be abused[0]. It's fine, you just meet the baseline requirements that aren't spelled out yet and that might be subject to change and that certainly won't include headless or highly scriptable or experimental browsers. Nothing to worry about.
[0]: https://blog.samuelmaddock.com/posts/google-widevine-blocked...
It’ll be cryptographic chain-of-trust based, with it sending a fingerprint, probably encrypted/signed with a per device key stored in something like a TPM, to the attestor, who will say if the fingerprint is valid or not.
They’ll inevitably only attest to the state of apps running under this full chain - so full secure boot, no unsigned drivers, only signed/approved apps - probably with a requirement to be installed via the platform’s App Store.
No one will be attesting for Linux because there’s no chain of trust and no control over what runs.
It’s a recipe for eliminating user choice and freedoms.
The current spec has a holdback mechanism. It actually gets implemented, I don’t expect that holdback mechanism to actually be part of the final implementation - because it makes the whole idea useless.