I think that's worse than reinstalling because there could be a non-persistent exploit in the secure element allowing a malicious OS to fake attestation
Why dont they just offload the legal burden onto the users with a "Enter your * or decline" and move on? Taking this half compromizing position is easier to defend i think.
Not really, thousand of sellers are selling products in places they "shouldn't", law and enforcement of law is very different (average Aliexpress seller will sell you counterfeit product and ship to the US and just wouldn't care), and some website/business owners just have balls, GrapheneOS could just relocate the company to some offshore jurisdiction and sell only through a bunch of third-parties that wouldn't care about local laws at first.