The point of blocking rooted devices often isn't to protect your account, it's to protect other (often unsophisticated) customers of the organization against automated attacks.

Rooted devices aren't the problem, Python scripts pretending to be rooted devices are. There's just no way to distinguish between the two. The only way to disallow automated Python scripts from logging to your grandma's bank account is to also disallow you from logging into yours if your phone isn't blessed by Google.

So make a toggle in the account settings that requires a blessed phone or an authenticated visit to the branch to set. There's nothing here that requires _my_ device to be authenticated in order to protect my grandma.