> Therefore, in their defense, if the OS doesn't come from a trusted source (in the bank's or Google's point of view), your bank's credentials are essentially compromised.

"Compromised" means that someone has them who will use them for unauthorized activity. When your device is infected with malware because it's running the same version of Android it came with that hasn't received a security update in several years, entering your credentials into that device will cause them to be compromised. When your device has a custom ROM that isn't sending your credentials to anyone it isn't supposed to, they are not compromised.

But the first device passes attestation and the second one doesn't. Moreover, that is the common case -- the version of Android that came with the device is likely to be older and have more vulnerabilities than a custom version installed later. Which means that passing attestation isn't just uncorrelated with uncompromised devices, it's actually anti-correlated with them. Requiring it is forcing users to keep and use the older OS with known vulnerabilities on that device.