Is there a way to receive security updates after vendor stops them, without compromising SafetyNet attestation?

Imagine the following situation: - The vendor of my phone has stopped providing security patches for the stock OS. - The HW is perfectly fine and powerful enough for years to come, so I'm definitely not willing to replace it just to get access to security patches. - Running a phone OS with unfixed security vulnerabilities makes me uneasy. (It feels insane enough to run a computer at home with an OS that's a year behind on security patches. It's twice as insane to do the same with a device that I routinely take to all kinds of hostile environments and untrusted networks.) - Authors of all kinds of random apps have grown a habit of requiring SafetyNet attestation. - I don't need root access to my phone, and I can live with losing some of the proprietary vendor-provided features. I also don't care too much about running the latest Android version, as long as it's receiving security fixes and is compatible with most apps. I know I have the following two options: - Stick to the stock vendor OS, which is gradually going to become full of security holes. However, SafetyNet passes and I can run all kinds of apps because they feel safe on my device. - Install a custom OS. This will fail SafetyNet, unless I use a tool to hack around it and try to pretend the phone is not rooted. This approach is likely to stop working at some point, leaving me with a device that fails SafetyNet. Thus although my device may have up-to-date security patches, apps will refuse to run because they deem the device insecure. **Is there a third way, which would let me stay up-to-date on security patches while not breaking SafetyNet?** I can imagine something like a pure AOSP system, perhaps built and signed by Google or another vendor, that I could run unrooted and unmodified (relying on vendor drivers through the Treble thing).