> You could tell if a request is from a real browser or from a script.
Today websites already know if the request is from a real browser or not just by integrating with reCAPTCHA or hCAPTCHA. This is just taking a very popular category of security product and tightly integrating it with the browser itself.
Today, you can take a philosophical stance and categorically refuse to use any website that uses reCAPTCHA/hCAPTCHA. Tomorrow you can take a philosophical stance and refuse to use any website that uses PAT.
You're missing a huge difference here: A captcha works on top of the existing web. I can use it on any platform to prove that I am a human. Whereas the proposal/implementation here effectively locks out any platform not explicitly allowed by the website operators. That is a huge blow to anything not from Google/Apple/Microsoft. Open source and any potential new entrants to the market would be dramatically limited if not killed entirely.
The big difference then vs. now is that with CAPTCHAs you can (generally) choose to complete them from a wider range of browsers and devices that have no corporate approval (unless it's that one Cloudflare CAPTCHA that gets stuck in an infinite loop). So even if it's painful, you can still access most websites. With attestation you don't have that choice.
Today websites already know if the request is from a real browser or not just by integrating with reCAPTCHA or hCAPTCHA. This is just taking a very popular category of security product and tightly integrating it with the browser itself.
Today, you can take a philosophical stance and categorically refuse to use any website that uses reCAPTCHA/hCAPTCHA. Tomorrow you can take a philosophical stance and refuse to use any website that uses PAT.