An attacker can lie about what their device id is

How would it know the right device id to spoof? (Definitely doable in a MITM scenario, but more complicated in others).

Pick one of the most popular keyboards used by your target and reuse it. That's how I'd do it. It's not going to get everyone but I think it's a legitimate approach.

The alternative methods looking at the time between keystrokes seems more reliable.

Keystroke delay based heuristic is just naive, all that means is that the attack needs to happen on an idle system.

In an ideal world, vendors would actually populate the serial number field with a number that's at least semi-random.

On this computer, only the USB-C HDMI adapter and the fingerprint reader have a serial number that looks random :-(

What about spoofing?