They allow old devices to report to Play Integrity. That doesn't mean the service provider requesting attestation has to allow such devices. These things usually give just a risk grade to the service provider and it's up to them to make the decision.

Graphene OS says they are secure, but the definition of secure they're using isn't the same one the service providers are using, so that doesn't help much.

The best route forward here is to push for a separation of certification types. Ideally it would be possible to pass the security related aspects of Google's CTS test suite and get approved by Play Integrity without triggering the other parts of Android certification.