Also possible they are putting stuff out early in the hope that public support protects them from the next admin

And if attestations are rate limited then a grace period until they can get enough attempts in to be confident.

If sites are expected to accept opted-out clients because they might just be randomly non-attested, why wouldn’t the hackers and fraudsters just opt out of attestation?