What does client assertion mean here? I don't see any mention in the GitHub issue.

It means that the request to the API contains cryptographic proof that is was generated by a legitimate, reviewed app running on a unmodified and non-rooted mobile device controlled by Apple or Google.

	▲	Retr0id 6 hours ago \| parent [-]
		fwiw this is a correct definition of Remote Attestation, matching what is mentioned in the github thread, but Client Assertion is something mostly unrelated (an OAuth implementation detail)