There won't be a reasonable way to bypass it as it requires a Google authenticated manufacturer to leak the keys or an TEE exploit.

All public key boxes are banned and Google regularly bans new ones . That endpoint contains the list of revoked keyboxes : https://android.googleapis.com/attestation/status

I'm not a security researcher, but I do believe in the ingenuity of others. If all else fails, this kind of law in my own country would lead me to running apps within a virtualised environment (if possible), or a dedicated cheap device in a drawer with my actual device still being mine.

This kind of checks would prevent you from running the app in virtualized environments too. You'll need the cheap device, assuming it doesn't get too old or its keys get leaked and your device also gets distrusted as a consequence.

I'm assuming you would do this out of a political reason, or as a very technical and privacy aware user.

But you are providing an alibi for malicious users who, for example, might try to brute force logins from unidentified devices.

That would be one reason aside from the law. You are essentially positioning yourself on the same side as intruders.

You're claiming that the only legitimate use of rooting is criminal activity, which is not true. Your argument is based on a faulty premise in my eyes.

are you for real? no, its the government telling regular people that simply wants to control their device that THEY are criminals and on same side as intruders.

You should personally immediately return any computing device where you have control, this line of reasoning is insane

aka guilty until proven innocent.

> Unfortunately the answer here is to not abide by the law

You realize in Viet Nam this means getting a "friendly" visit by the MPS/BCA, and if you continue eventually getting branded as a troublemaker.

> [...] and there is reasonable expectation to not be caught [...]

Hence my qualifier. I'm not trying to incite anyone into personal danger.