Meta sneakily introduced “Platform Integrity Attestation API” which basically calls home to see whether the user has a valid license to play.
This means that to run apps user has to have online connection to perform an integrity test. Whether it’s only a test on launch or continues call home like Denuvo-like DRMs is not yet clear. This could also mean that modified headsets could fail to pass this test essentially closing down the device for modifications that could damage “platform integrity”. Not all details are clear yet but this doesn’t look good.
Currently it’s optional and up to app developers to enable it.
It’s not “unrooting” it’s just preventing your OS from being replaced. It’s an easy change for anyone with physical access to the device who can get past the lock screen, but can’t be done by accident. So you won’t be accidentally installing malicious software that will reinstall your OS, for example.
The unlock/lock and install can be done through a website, but it requires your phone to be plugged in to a computer, and you can enable/disable unlocking through the developer menu in the phone’s settings.
You can also use the standard android CLI tools to lock and unlock the bootloader, but that web app is really convenient.
Edit: and for anyone wondering, you can re-lock it with any ROM, or after rooting (you don’t lose root). I’m running grapheneos with a locked bootloader. Only difference between this and the stock ROM is a message that’s displayed when you boot that warns you the phone isn’t stock.