There are attestation mechanisms, but huge portions of a public user-base (especially android) don't pass that check because their device is too old, or their OEM sucked, or something something mediatek SOC, or <insert esoteric detail within the attested data that fails check in opaque way>

In my experience, all forms of attestation start to become impractical at scale unless you have a fairly homogeneous, well-patched fleet. This is particularly heinous for TPMs, where I've observed TPMs coming off one STM line having invalid EK certs, but other STM TPMs of the same model are fine. Or the platform firmware stamped out onto the motherboard has a bug in how it extends PCR0 and the event log is just borked forever, and so on... Totally unworkable.