Basically, the idea is that a server can refuse to serve you (or degrade your experience with captchas/heavier restrictions) unless you (your device) complete a “challenge”. This could be something like the browser (through a system API) checking some device details like
etc. Basically making sure the “environment” is clean and not tampered with (trusted).
The problem is with what defines a “trusted” environment. It could start at just making sure the device isn’t rooted (like Android’s Safetynet/Play Integrity check; most people don’t root their device & don’t/won’t care, also easily justifiable since it can be a security vulnerability because the device is “wide open”).
Then, like the article mentions, the device makers (Google (phones, chromebooks), Microsoft (Windows, Xbox), Apple (macOS, iOS, visionOS, etc), Meta/Facebook (Oculus), etc) could change their terms for attestation and deny approval on stricter, potentially anti-consumer criteria such as device age (forcing you to buy more things).
I don’t think sites can request attestation yet, for vpn ips it’s usually that the ip/ip block has shown “suspicious” behavior & got reported either manually or picked up by bot sensors.
(Now of course it’s also bad to let Google and friends be the arbitrator of good and bad IPs, famous for the destruction of truly self-hosted email (among other things))