If someone injects malware into your GrapheneOS image then the attestation won’t pass. That is how it works.

Hardware attestation verifies that the phone and the OS its running on are real and not an emulator or a fake malware laced version.

It ensures that you don’t get your bank account stolen by a fake ROM with an infostealer inside.

They complain about /e/ and Sailfish because they are genuinely bad. You can see how bad /e/ is in my recent post.

They used to support DivestOS which was an OS designed for phones which don’t support Graphene.

The issue is that OS’s like /e/ and Jolla are quite insecure, meaning a verification that they’re “safe” can be a lie if the device is exploited, which it easily can.

GrapheneOS has their own attestation system, and some banks are using it.