Please don't legitimize SafetyNet. It is an existential threat to real ownership of your phone as any flavor of Android but that blessed by Google trips SafetyNet. It's the equivalent of barring people from running software on their laptop because they've installed a flavor of Windows that wasn't shipped from the factory. People everywhere have a right to do with their phone what they want to.
I agree with all your points, but what's the reasonable alternative? There is a reason that apps have decided to go with SafetyNet as a requirement. It dramatically reduces abuse.
Unless an API you're looking at requires/supports attestation via SafetyNet or you're willing to proxy via your own server this is likely not an option.
Additionally, while it's true (to my knowledge) that re-implementing a full safteynet spoof is not currently publicly available, a combination of Frida and MagiskHide is able to bypass SafetyNet for dynamic RE purposes, just launch the app as normal with MagiskHide enabled then attach to it with Frida as root. If they enforce full hardware attestation this may change in the future, but right now we're good.
