>Chromium is open source. If there was some super secret handshake, anyone could copy that code to curl-impersonate. And if it's only in closed-source Chrome, someone will disassemble it and copy it over anyway.

Not if the "super secret handshake" is based on hardware-backed attestation.

True, but beside the point.

GP claims the API can detect the official chrome browser, and the official chrome browser runs fine without attestation.