So I was checking out this other bank and their procedure to log onto their online services is even more convoluted. And looking at other banks' offerings...the more, I look, the less I'm sure where to go from here.
I forgot to mention, there is some extra glitch with Magisk on my device; Magisk normally checks the ro.build.tags prop and sets it to release-keys if it was set dev-keys or test-keys, custom ROMs have it set to one of the latter two. It's written in /system/build.prop file that is generated during build process, which may be modified with rw access to /system.
The glitch is when Magisk modifies it during runtime, getprop utility returns the updated value, but a programmatic check through Java still returns the old value unless you modify build.prop file directly.
I don't know whether that app checked build tags first or the presence of busybox binary, which, BTW, is actually present on certain official ROMs! I just identified the relevant blocks of code by taking its APK file apart with APKTool. It looks like root checks span across both Java code and one of the bundled native libraries.
So the things that I identified are successfully hidden on my phone, at least undetectable by Native Root Checker and RootBeer Sample apps. I also tried registering with the previous version of the banking app, which, in logcat, specifically mentions "negative root check", but no luck, log indicates their server returned some error code.
Of course, they could be blocking older versions. Back to the current version, I also tried changing my device's fingerprint, didn't help neither.
The thing about blocking my phone's serial number is pure speculation on my part, but this could be it as part of its code does read it. I figured the serial number is passed to the Linux kernel via androidboot.serialno=xxx paramater by device's bootloader.
There's also possibility that some hole still exists through which root may be detected. One such hole is known, but can be avoided by using Magisk fork with modules functionality stripped, which I ended up installing, though I haven't found that it's actually used by the app.
I guess they could also block the numeric ID they give to their customers to activate the app, but then even using different phone wouldn't make a difference...
I also messed around with various versions of Android-x86 on my laptop. It has its own quirks. Good to know ART cache (Dalvik cache in older versions, but still residing in /data/dalvik-cache in newer versions) wasting a lot of space is the problem of Android 7.x in general. I haven't been able to pass SafetyNet test on it, not even the basic one, so there goes the idea of using PC port of Android for that stupid app.
Not much positive is written about passing SafetyNet on Android-x86 AFAIK, just some guy hinting using his Magisk module safetypatcher supposedly helps, which just changes phone's fingerprint in a different way during runtime. But since changing the fingerprint directly in build.prop isn't evidently a problem, since I could do it on my phone and still pass the check and the author of MagiskHide Props module, which also changes the fingerprint, says it won't help if one is unable to pass even the basic check, that's just another dead end.
Finally, removing Magisk on my phone = SafetyNet check not passing due to custom ROM
Downgrading to latest official ROM (Android 4.4.4) = inability to run the banking app at all since Android 5+ is required