I think it should be like this:

— If you are actually need metadata, for compliance, legal, security reasons, then yes. Fail if fail to found

— If you just want FIDO, then you can just drop entire trust root verification

Yes, you can certainly add other vendors Metadata Statement, if you wish.

You should read this article: https://fidoalliance.org/fido-technotes-the-truth-about-attestation/