> Even with attestation you could just daisy chain and use the attesting device as a proxy.

But you'd need the attested device to run the proxy server software, which would obviously not be allowed in the app store, and would be blocked by the gatekeeper daemon or the OS-level firewall. Well, proxy software would be allowed, but it would have to perform its own attestation checks on the devices it proxies for.

> Not to mentioned the billion of internet enabled devices that would never support it

The billion internet enabled devices would be allowed onto a special "safe" segment of the internet, which companies could apply to add their static IPs to. So your internet connected fridge could still phone home, but the manufacturer would take liability for any data that a rooted fridge managed to send out to the internet.

There might still be millions of old devices that don't support TPMs and don't have manufacturers willing to apply to have their IPs whitelisted, but the government will say that kicking these insecure unpatched devices off their internet would be a huge win for cybersecurity. Making people buy a whole load of new devices would probably also give a temporary boost to the economy too.

I think you're missing the point. Attestation is just key signing and verification with more bells and whistles and overhead. DRM tries and fails for the same reason: you have to give the user both the key and the content. There has been 30 years of attempts to somehow obfuscate and keep them apart, all without success.

An attacker with physical access and unbounded time cannot be defeated.

The reason why DRM has failed in the past is that it only takes one person to crack the DRM on their own device, and then they have an unencumbered digital file which can be copied and distributed freely.

Applying DRM to kernels and applications rather than to media files is completely different. If someone wants to have an E2E encrypted conversation, not only do they have to have jailbroken their own device by extracting the secret keys from inside its processor (using an electron microscope, perhaps) but their conversation partner has to have done the same to their own device.

Even if a few brave and well-resourced journalists/lawyers/activists managed to do this among themselves, they would quickly be exposed by traffic analysis, allowing the government to simultaneously arrest all of them and use their devices as evidence.