[Brian_K_White]

If it can't prove what it purports to prove, then it is not policy enforcement, because it is not anything enforcement.

But someone thinks it is, which is harmful to them on top of being an annoyance to everyone else.

[insanitybit]

That's just a misunderstanding of the threat model. It's like saying "if someone can just mitm TLS it's pointless" when that "someone" is in the position to run arbitrary code on the client. Mitigations map to specific attacker positions.