Basically Google has actually implemented remote attestation properly (using hardware) so Magisk can't hide unlocked bootloaders anymore unless someone finds a crypto flaw. It's slowly being rolled out to Play Services but I believe cts still passes for now.
Can you give more details on this? I wasn't able to find anything with google-fu except this post, which is surprising.