[ExpertAdvisor01]

There won't be a reasonable way to bypass it as it requires a Google authenticated manufacturer to leak the keys or an TEE exploit.

All public key boxes are banned and Google regularly bans new ones . That endpoint contains the list of revoked keyboxes : https://android.googleapis.com/attestation/status

[fenaer]

I'm not a security researcher, but I do believe in the ingenuity of others. If all else fails, this kind of law in my own country would lead me to running apps within a virtualised environment (if possible), or a dedicated cheap device in a drawer with my actual device still being mine.

[SkiFire13]

This kind of checks would prevent you from running the app in virtualized environments too. You'll need the cheap device, assuming it doesn't get too old or its keys get leaked and your device also gets distrusted as a consequence.