Need for attestation?

[jackevans43]

From the Chromium blog:

We are committed to developing this standard in a way that ensures it will not be abused to segment users based on client hardware. For example, we may consider supporting software keys for all users regardless of hardware capabilities.

Should the implication of this design choice be fully explained? I know attestation can be a controversial topic, e.g. in WebAuthn, but currently the server will never know if the private key is hardware backed and cannot be extracted. While DBSC meets the aim of stopping "smash and grab" cookie theft, it wouldn't prevent malware from deleting the authentication cookie so forcing a reauthentication (visible to the user, but not obviously malicious) after patching the browser to use software to store the private key (which it can then steal).

This is related, but subtly different from #2 - where malware had access to the device before the sessions were authenticated - this case is where malware arrives after the sessions were authenticated.