In reality, hardware backed attestation to TEE is becoming the norm for allowing developers of apps requiring a high degree of security to have assurance that their code is, in fact, running in a Trusted Execution Environment. Even SOCs / processors for pC etc now have the hardware required, and it seems that soon even your PC will rely on these attestations rather than traditional malware detection etc...
Examples of such code include Google's own Google Pay.
The issue is quite simple; bank app devs / corporations who could be sued / banks who now are faced with replacing more and more of your funds obtained by fraud to maintain good faith with customers (eg GPay partner banks when a customer's phone is lost or stolen and thieves are able to unlock the phone & use your GPay because you loaded TWRP, decrypted, left USB debugging on etc etc) want to know the platform is secured (read 'is a TEE') as thieves basically
cannot get you data / money in that case, but it is often a trivial matter otherwise.
However, since Google have been taking their time to implement HKA properly, the banks are simply covering themselves by investing in their own methods of detection; they already view IOS as the preferred mobile OS for security as it is basically impenetrable while Google has NOT delivered...
Google can't afford to let that continue either!
While we can, Google is allowing us to 'subvert their security model' quite knowingly, but only because they view the Magisk / modding / custom development community as largely 'White Hat' rather than nefarious as they've said... But there are nefarious hackers etc out there, increasing in number by the minute...
So you are thinking only in terms of your privacy... What about your right to
know stuff? What about the banks right to know their code is secure?... Really, by manipulating signals (spoofing CTS profile match etc) that legitimately attest to TEE, say to hide the fact that a chain of trust is broken (read device no longer has Verified Boot (AVB) ie. bootloader is unlocked), you are effectively misrepresenting these details (read lying)... You are verifying what has not been verified, attesting to the trustworthyness of what cannot be trusted...
What should really be illegal?...
Of course there'll be no litigation over this either way, but If they were
forced to let you run their code in unsecure (non-Trusted Execution Environments) banks would simply stop viewing Android as a safe / viable platform for their apps and cease to produce them, so you'll loose the ability to bank unless you get an IPhone in any case, and Android would slowly become untenable...
It doesn't take a genius to work out which way this'll go...
PW
PW
PW
PW
PW
