I'm pretty sure the SafetyNet Deamon on your phone generates some sort of result that's based on your phone's fingerprint. This would mean if you'd want to pass SafetyNet on let's say a google pixel, you'd need another google pixel that generates the 'passing SN result' and then pass it to your unlocked google pixel. This may be possible but I don't have 2 identical phones for programming.

Also, the google framework is closed source and very obfuscated making it very difficult to figure out how SafetyNet actually works. SafetyNet itself checks the Zygote proccess for changes, so hooking in to your android phone to analyze a true SN pass would theoretically be impossible already. It'd be very hard to route a true safetynet result with a locked phone. But, if I can help in any way, I'll be glad to do so. Not experienced enough with how android 8 and up work to tweak them though.