> rootfs attestation verifies a per-file SHA-256 manifest at startup;

What threat model does this protect against? Certainly nice, especially for free, but wondering about utility.