But in practice they usually rely on attestation by an approved vendor, and the vendor won't let you control your private key, so they'll leverage it for lock-in.