Magisk will fail Safety-Net hereafter. Why?

Recently, Google made security changes which make sure [tag:Safety-Net] fails check when Magisk is installed. This was Tweeted by John Wu (Magisk developer) , [here](https://mobile.twitter.com/topjohnwu/status/1237656703929180160) and [here](https://mobile.twitter.com/topjohnwu/status/1237830555523149824) . Some excerpts: > So here we go, after years of fun messing around using Magisk, it seems that Google FINALLY decided to "fix" SafetyNet to something useful, and that is to use key attestation to verify device status (after 3 years since introduced to Android's platform!) > **Let's face it. Fun is over guys.** (Emphasis added) **Edit:** From [Github](https://github.com/topjohnwu/Magisk/commit/612b51d48f9771a65cfab045f931573f42d3a494) > **Disable MagiskHide by default** > Since SafetyNet CTS is impossible to achieve, leaving MagiskHide on by default no longer serves a purpose. > For more details regarding the latest SafetyNet changes, please check: > https://twitter.com/topjohnwu/status/1237656703929180160 > https://twitter.com/topjohnwu/status/1237830555523149824 > MagiskHide's functionality will continue to exist within the Magisk project as it is still extremely effective to hide modifications in userspace (including SafetyNet's basicIntegrity check). > Future MagiskHide improvements _may_ come, but since the holy grail has been taken, any form of improvement is now a very low priority It looks to me that Google could/should have implemented this earlier but didn't and the CTS check being done from within Magisk wasn't comprehensive. Please demystify this in simple terms (to the extent possible) for folks who don't understand the innards of Android (like me).