GrapheneOS implements its own attestation so you can attest that it's real GrapheneOS. The valid approach they've chosen is to try and get on a level playing field with the big guys rather than destroy the playing field. They have a good argument their OS is very secure, so you should accept its attestation. This is how a user-friendly OS backdoors into the attestation system.
I still think destroying the playing field is better, but less likely to succeed.
GrapheneOS doesnt implement its own attestation. It simply inherits the existing, generic attestation system provided in the android open source project. Any fork of AOSP can provide this, the keys would just need to be whitelisted per OS.
> so you can attest
This isn't about you attesting anything though. It's about corporations attesting that your device is 100% corporate owned. Can't have you running software that impacts their bottom line after all.
GrapheneOS could be the most secure operating system to ever exist, it doesn't matter to the corporation because it's still under your control. When they say "security", they mean "the corporation's security against the user", not "the user's security against the hostile world out there".