This doesn't match my experience. Banking apps in Germany often required screwing around with additional Magisk modules, and would often break again after an update. Just not worth the effort.
> The only apps that require a bit more work / expertise are apps that require integrity checks (ie. google wallet).
"A bit more work" but only for now... There is a loophole (spoofing the device fingerprint with the one of an old model where non-hardware attestation is still accepted) but Google is starting to ban those models and it's only a matter of time until they're all banned.
In Denmark, MitID supports non-phone authenticators. You have to request it, but a few days later they send a TOTP generator keyfob. They also have a version for blind people.
I would find it annoying if I had to carry the keyfob. I have it as a backup.
The system is used for authentication for banking, accessing healthcare records, tax records, filing for divorce (yes, online) and so on. And for doing similar things for ones children, depending on their age.
By using an app or various hardware keys — with a maximum of three active methods — they can reduce the chance that additional people have access, and prevent duplication of the private keys. This isn't possible with a QR code to scan for TOTP (you can scan it on multiple devices, or print it out, or have a computer with malware doing this).
Initial authentication is done using a passport, or in-person at a local government office for people without one (or without access to a phone capable of reading the passport's chip).
(This is just my general understanding of the system.)
Most apps I use (ie. banking) are bypassed simply by adding them to a hide-list.
The only apps that require a bit more work / expertise are apps that require integrity checks (ie. google wallet).