I agree, sort of -- I still think it's a farce. Unless this is implemented in a way that has a checklist that is updated so frequently as to force Windows users to do what they're often notorious for LOUDLY refusing to do... then it's more theatre.
As long as Windows users are allowed to remain as out of date on patches as they are, and depending on what the browser users as its attestation "source", I don't see how the browser and website can ever meaningfully establish the validity of the statement "the client is trusted to be malware free".
I wish the answer was that MS would secure Windows better. Sandboxing applications, and making it a pain in the ass to request high privilege functions. The current state of things is you just get a useless popup to grant admin access which literally every program requests so as a user you have no real tools to combat malware.
It's too hard for even someone who is highly knowledgeable to know if they have malware, let alone the average person.
As long as Windows users are allowed to remain as out of date on patches as they are, and depending on what the browser users as its attestation "source", I don't see how the browser and website can ever meaningfully establish the validity of the statement "the client is trusted to be malware free".