Some people insist on having attestation, and presumably if we said "No" they would build their own authentication standard with blackjack and hookers (and attestation).

I don't see it myself, but they really want it, and in niche environments it's not crazy. If you issue all 5000 employees with Fictional Corp. very secure fingerprint authenticators, checking for the Fictional Corp. attestation means you can be sure nobody used their factory default Solo Hacker Key FIDO device and then pasted the resulting values into a GitHub Gist. Would anybody really do that? Well, maybe, after all there were various SecurID tokens facing public webcams so that their owners could use the OTP from the token without risk of losing it...

However, on the public web no relying party (~ web site) should use this, especially one which offers some other unattested alternatives; and you as user shouldn't allow attestation if attempted -- at least Firefox and I believe Chrome let you say "No" and you should.

I built one myself. I've yet to find a site that doesn't support it. I'm sure there are some out there, but in practice attestation isn't a big problem.

...yet. And by the time it is, it'll be too late.

Except the industry is moving away from attestation. The popular passkey implementations don't support it. You won't see attestation use outside of enterprise specific settings.