alt Hacker NewsThere won't be a reasonable way to bypass it as it requires a Google authenticated manufacturer to leak the keys or an TEE exploit.
All public key boxes are banned and Google regularly bans new ones . That endpoint contains the list of revoked keyboxes : https://android.googleapis.com/attestation/status
I'm not a security researcher, but I do believe in the ingenuity of others. If all else fails, this kind of law in my own country would lead me to running apps within a virtualised environment (if possible), or a dedicated cheap device in a drawer with my actual device still being mine.