The big ones are:

- StrongBox keystore support with hardware key attestation support (used in Auditor) with attest key support, which then would be used for key pinning

- Weaver key derivation throttling (hardware-enforced Android credential brute forcing countermeasure)

- Insider attack resistance (Owner user must authenticate before the SE can be firmware updated)

Samsung closely meet requirements but because they kill the secure element features with an eFuse when installing another OS, it is useless to us.