Comment by tadfisher

Unfortunately, due to the nature of these things, you cannot verify an app is unmodified without also verifying the OS running it is also unmodified. So if VW decides that only their unmodified app may access APIs, then they kind of are stuck verifying the OS.

They can, given basic competence in SW engineering, also verify against GrapheneOS' published release keys. The reason they don't is the same reason Google closed my ticket asking them to include Graphene keys in Play Integrity checks: they don't care.