Devs that decide to not KYC can still continue to release unsigned APKs that work on Graphene (and AOSP devices that don’t enforce signatures). Also call me naiv but user will still demand devices that allow them to install any APK. So there is a financial incentive for device vendors to ignore Google’s policy (or make opt-out very easy by showing a warning like macOS).