Note that during remote attestation you are deliberately leaking a unique static hardware ID to the one you are attesting to. There is usually some measure of indirection involved (EK -> AIK) such that additional collusion is required to recover the actual HWID (public_key of the fused Endorsement Key in the secure enclave).

Nothing prevents all the parties (the one you are attesting to and the central authority you use for indirection) to save everything and cross reference at any point in the future.

The same problem and often worse is present in DRM systems.

In the case of Widevine DRM you are actually leaking a static HWID to every license server, no collusion required. This is because there is no indirection involved, you give the license server the public key of the private key fused in the secure enclave for this purpose. The only safeguard is that every license server needs a certificate from Google to function (secure enclave will reject forming a request on invalid cert).

There are a lot of license servers.

As a side note, this is how they impose a cost on pirates. They employ forensic watermarks for the content streamed to subscribers - at the CDN level, they can do it cheaply using A/B watermarking, the cost is to store double the size of every file. When that content shows up in p2p piracy they trace it to the account and the device's DRM system public key and revoke its ability to view content (on the level of the license server) and ban the account.