[subscribed]

Okay, but Google certifies phones which are not updates for the last several years.

They can be trivially rooted, then they spoof the signature and get a pass in Integrity while being wide open for malware (or cooying the ID, ID presume).

[pwlb]

The documentation clearly outlines that there are multiple signals being analysed. Relying on play integrity alone is definitely not sufficient as you state.

[subscribed]

Okay, I meant that Google issuing a "pass" is worthless, yet it's being used as a mandatory signal.