> The attestation API in AOSP allows companies to trust signing key fingerprints (such as those of GrapheneOS), which means that the attestation system is not controlled by a single company (Google).

I wonder if this would exclude rooted OSes, non-relocked bootloaders and things like that? Sorry for stupid question, still not quite understanding how this works.

Currently probably not, because there are leaked keys, etc. But otherwise it would, since the verified boot state, etc. is added as part of the signed material.