You already can’t get around this on smartphones. So many companies force you to use their app and only their app if you’re not in front of a desktop.

and requires a kernel level always on spy driver to watch the Chrome process to prevent tampering with it?

That would be one method, yeah. The attester supplies a kernel driver and uses that to generate the auth tokens communicating with it via some protocol or via scanning memory.

The driver is just chilling in the machine, perhaps even evasive to lsmod, such that the only way to detect it is to have your own driver monitoring for some specific signal before the attestor driver gets installed, and then using that signal to track its installation.

There’s always a way. But, as you say, with phones it’s not as simple.

GrapheneOS or some other ROM on an unlocked Android phone is probably going to be the only way of bypassing it.