You've still got it a bit backwards. Websites should be the ones publishing content suitability headers. Those headers are then legally-significant assertions about the content on the site - the type of content, age/moderation policies, etc. Browsers then implement the device's configured policy based on what headers the site returns.

This requires locked down computing on the end device, but all of these proposals inherently do - otherwise a kid can always just install whatever software that sidesteps the restrictions, right? And leaving the responsibility on the device owners/makers only motivates secure boot, which is already pervasive on the most relevant devices - phones and tablets.

Your proposal puts liability directly onto websites themselves, regardless of the end user/device. This would push websites into demanding remote attestation, which is at the early days of being pushed (safetynet, wei, etc), and is the thing that is really primed to destroy general purpose computing. You know all those "verifying your device" followed by endless CAPTCHAs that are everywhere these days? Imagine that, on every site, and no way to get around it besides installing a genuine copy of either Windows 2028 or macOS 28 Pyongyang.