It is my understanding that attestation could be used to control which software is running on the client's computer prior to granting access to a web service, yes?

Otherwise, what would the point be of using to, say, protect DRM content on a webpage if I can just attach a debugger to the process in question?

Is this not how WEI works?