Google provides attestation and it's a constant cat-and-mouse game that the rooters are usually losing.
Websites can't tell, but lots of companies don't provide equivalent functionality via website. I know I can't upload check images for remote deposit unless I use the native banking app.
What irked me is sometime app developers are abusing it without asking themself "Does this app really need to check for rooted phones at all?"
I'm okay if banks apps are using that. But why does fast foods apps need to use that? Most people that I know are paying with cash when they order foods online (and you can't hack paper money with rooted android phones).
Here's a question I'd love for Google to answer: why do you need their special blessing to be able to make a file manager app, but not an app that uses SafetyNet?
I'm not okay with it, to be honest. It's my money, and I trust a rooted LineageOS with it much more than I trust the default firmware of most phones. Besides, my bank lets you do the same operations from their website that you can do with the app, so in my case it's pure inconvenience, not security.
Statistically people who do payment fraud crap use rooted phones more, probably to help with things like location spoofing to get around other fraud detection methods when apps use third party payment libraries, so you reduce your fraud cost with something that is a few lines of code. The cost/benefit ratio is too good which is why you see it everywhere that has a payment fraud risk of some sort.
Presumably a website could support WebAuthn and require you log in using a "Platform Authenticator" like Windows Hello.[0] One way or another, websites will end up requiring that only "secure" devices access them (preferably disclosing a unique serial number registered to them).
