[pwlb]

Preventing credential duplication is a requirement to achieve high level of assurance. One of its purpose is to limit the potential damage that can be done by attacks. If credentials are bound to hardware-bound keys, attackers will always need access to this key store to make any miss-use. If you don't prevent duplication, attackers may extract credentials and miss-use them at a 1000 places simultaneously.

[subscribed]

Okay, but Google certifies phones which are not updates for the last several years.

They can be trivially rooted, then they spoof the signature and get a pass in Integrity while being wide open for malware (or cooying the ID, ID presume).

[pwlb]

The documentation clearly outlines that there are multiple signals being analysed. Relying on play integrity alone is definitely not sufficient as you state.

[subscribed]

Okay, I meant that Google issuing a "pass" is worthless, yet it's being used as a mandatory signal.