Why do you need attestation? It seems to always either serve no real purpose (e.g. Bank apps) or be anti-user (DRM) (except for perhaps enterprise managed devices for companies with serious infosec requirements)
Replied below but TLDR (and not fixing myself) is that security requirements of the app are such that a compromised APK or rooted device running modified android could gain privileged access to sensitive information by bypassing/deep faking some auth mechanism. This isn't hypothetical: it's attacks observed in the wild that we've been forced to respond to.