After all this discussion, SimpleWebAuthn still insists on requiring CTS profile match for passkeys generated by Android. This is the kinda thing that makes me so deeply opposed to Passkeys as implemented. If not even *open-source* developers can resist the urge to abuse them, then there's absolutely no chance I'll trust a corporation to be responsible either.