Safety net can be worked around using Magisk (including v24.3) by enabling Zygisk, downloading UniversalSafetyNetFix and MagiskHidePropsConfig, running the "props" binary from adb shell and selecting a known factory device fingerprint. and then adding the apps to the "DenyList".
You also need to clear the data of Google Play Services and Google Play Store, and of the apps that detected root.
AIUI, Zygisk is a Google-approved variety of Magisk. The real issue with SafetyNet bypass is that it's inherently unreliable because Google could at any time require a locked bootloader running stock OEM ROM for passing SafetyNet, so any rooted device would be SOL.
From what I'm reading many newer devices require a locked bootloader, else SafetyNet will fail. So realistically I think that means only Pixel phones could work, since they support relocking the bootloader with a non-stock ROM.
Lots of phones support relocking to a user provided key (OnePlus does for sure) but it's a less trusted state than locked to the vendor key, I don't think it counts as good enough for full SafetyNet
You also need to clear the data of Google Play Services and Google Play Store, and of the apps that detected root.