If someone shares their ID publicly, that person could be identified and blocked, so this would probably be limited to sharing of ID to the people in person's social circle.

If someone uploads shared token publicly, it's hard to identify who did it and anyone can use it until you rotate the token for everybody.

> If someone shares their ID publicly, that person could be identified and blocked, so this would probably be limited to sharing of ID to the people in person's social circle.

This was the thing your proposal was supposed to do:

> User hasn't revealed any PII data besides "is_over_18" value to the site and identity authority doesn't know which site user is accessing.

If you have that, someone sets up a service that uses their ID (or a set of IDs from any data breach) to provide tokens to anyone.

If the tokens can be mapped back to the IDs, the alleged privacy protection is fake. If they can't, you don't know whose ID is being used to generate tokens for third parties.

Your choices are "no real privacy protection" or "you don't know who is sharing tokens" and the first one is unacceptable, at which point you might as well use the simpler system.