The issuing entity. They want a "secure device" to do business with me, then they get to issue said device.

Otherwise, they just get to be OK with offering me a website or letting me transact with them on my own device that's under my own control without stipulations like requiring attestation, or prohibiting root.

The point is, governments nor banks or other private entities, should be getting to dictate what can and cannot be done on someone's computing device.

At least here in the UK for years if you opened a bank account, even a free one, you'd get a debit card + a device for generating secure keys for online and telephone banking. Like a standalone, battery powered device the size of a calculator.

Like....why can't we just go back to that? Banks were "fine"(doesn't mean happy) to shoulder the cost of these devices then.