ctsProfileMatch is a "Google certified OS" check, or in other words just a stock OS check because we're not Google certified. This is purely a software-based check. SafetyNet is also deprecated and replaced with Play Integrity API. They have their own software-based checks too such as green state verified boot (we're yellow state because we're not stock OS unless we had our own hardware vendor).
We plan to spoof these software checks so we can pass ctsProfileMatch / MEETS_DEVICE_INTEGRITY (https://github.com/GrapheneOS/os-issue-tracker/issues/1986) but it has to be done carefully, safely, and without compromising security. It's also going to be very fragile and the user will be made aware that Google at any time can and will break these bypasses because they are actively trying to prevent people from bypassing it. It's possible their changes can break apps even more.