Which is the same as root-of-trust attestation.

Which is better:

- Having applications provide kernel-level software to provide attestation.

- Or having the OS provide root-of-trust attestation, but also requiring signed binaries, and preventing global root privilege escalation.

The third option would be neither, but players want some sort of anti-cheat.