You can only do that because Windows lets you do that. That's something that can change.
> It seems to me like you can only guarantee no tampering in an actually locked down system, like modern mobile devices.
Yes, the whole point of remote attestation is to be able to prove to the other party that your device is running an approved and fully locked down OS+browser combo before it sends you any content.
It does this by putting the code that creates this guarantee in the only place that you can't (easily) change: in the silicon of your CPU.