Remote attestation isn't inherently evil. Remote attestation can protect your privacy too. You can run code on a public cloud, with remote attestation proving that the cloud provider cannot read the memory of your VM, even if they use a malicious hypervisor.
(That's of course assuming in your threat model you trust the hardware maker but not the cloud provider. The sentiment in this thread is clearly don't trust the hardware maker.)
Or you can just run security-critical code on your own hardware on your own premises, as has been and will always be the answer for strong security. If a legal contract with a datacenter is not enough of a security guarantee, then neither is a wink from a hardware manufacturer. The societal downsides from abuse of remote attestation - eg computational disenfranchisement of end users - far outweigh any claimed benefits.
With secure attestation you only need to trust eg Intel and only when they manufactured your device, and not random cloud providers forever.
Of course, running on your 'own' hardware is a fiction, too: companies themselves are made up of contractual relationships, fiduciary duties and other legal devices.
Even if you are running your software on your own in-house datacentres, remote attestation is still useful.
(Just like git's commit hashes are still useful, not only when your code lives externally on github, but even when some other department of the same company is hosting your source code.)
I didn't say it wasn't useful. As technologists we can easily see how any given feature is useful for good, honest purposes. My point is that these purposes pale in comparison to the abuse that remote attestation directly enables - "big tech" demanding that you only run approved software to interact with them - aka computational disenfranchisement and destruction of the idea of the "user agent".
The societal situation is analogous to "Web 2.0". Everybody thought "this is neat, it lets me make interactive applications that I can share easily with my friends". Few dwelled much on how the intrinsic centralized control was a terrible dynamic. Over time, economic optimization increasingly focused on and exploited that centralized control. Now we've ended up with most people's idea of "the Internet" being choosing between least-bad corporate bundles, and just suffering all the ways they're being controlled. Remote attestation further increases that control, making it infeasible to employ software to represents your own interests.
> The societal downsides from abuse of remote attestation - eg computational disenfranchisement of end users - far outweigh any claimed benefits.
Your new comment is basically re-iterating this sentence I quoted from the old one.
I'm not sure, if I outright agree; but I do see the point and was not arguing against it.
It is indeed worrying!
> Or you can just run security-critical code on your own hardware on your own premises, as has been and will always be the answer for strong security.
My comment was arguing against this part of your original comment. On-premises doesn't have to be more secure; and it misses out on some gains from division of labour and specialisation.
(That's of course assuming in your threat model you trust the hardware maker but not the cloud provider. The sentiment in this thread is clearly don't trust the hardware maker.)