IIRC the proposal includes some crypto-handshake verification to make sure the attestor is who it claims to be, so no, apps can’t just fake it. Or, if some of those secret keys leak and apps use it, sites won’t accept it anymore.

It still doesn’t matter. A website can choose which attestors to trust (if they had to trust all of them the whole thing would be useless), so Youtube can just deny access to the video streams to anything that isn’t a trusted browser environment, and anything third party like Invidious, Piped, Newpipe, Freetube… won’t be able to work anymore.

eventually there will probably ba a certificate authority alternative to Google

Which won’t matter (for access from third-party apps), because to be accepted by websites they need to prove their trustworthiness, so you can’t just use a different one to circumvent it.

Unless people mass-migrate away from Chrome-based browsers (basically everything expect Firefox) Google will at one point enable their Web Environment Integrity thing, force all other browsers to enable it too because otherwise a lot of websites will stop working in them, and no alternative frontend will have access to the video streams anymore.

become complacent about solving the primary problems

We have been complacent about solving the primary problems for decades. At this point we should be doing all we can, and if a way to combat the symptoms gives us more time to finally get our shit together and do something useful before everyone turns into doomers giving up because it’s too late anyway then I think that’s a good thing.