> If someone shares their ID publicly, that person could be identified and blocked, so this would probably be limited to sharing of ID to the people in person's social circle.

This was the thing your proposal was supposed to do:

> User hasn't revealed any PII data besides "is_over_18" value to the site and identity authority doesn't know which site user is accessing.

If you have that, someone sets up a service that uses their ID (or a set of IDs from any data breach) to provide tokens to anyone.

If the tokens can be mapped back to the IDs, the alleged privacy protection is fake. If they can't, you don't know whose ID is being used to generate tokens for third parties.

Your choices are "no real privacy protection" or "you don't know who is sharing tokens" and the first one is unacceptable, at which point you might as well use the simpler system.

For most KYC verifications just a picture of an ID card is not enough. Identity authority KYC process shouldn't allow that IDs from a data breach to pass verification.

Same ID also cannot be registered more than once at the same identity authority.

Identity authority doesn't provide tokens, but signs (nonce + requested age data) requests that user gets from a service he's trying to access. User needs to be logged in to do that.

If user shares identity authority credentials, that would show in suspicious auth pattern (e.g. accessing from multiple locations at the same time) to identity authority and account should be blocked and require the whole KYC process again.

There is an issue of someone with stolen ID registering at identity authority where true owner of ID hasn't registered and passing KYC process. This could me mitigated by, for example, limiting at which identity authorities a citizen of a specific country can register, limiting the number of concurrent registrations at identity authorities concurrently (for example an ID can be registered at max one identity authority globally at a time. You would need to close account at current identity authority to open it at another) and/or stricter KYC verification (like in person).

Again, even if someone succeeds in registering with stolen ID, sharing of the credentials still needs to be limited in order to avoid getting blocked.

In short, it all depends on identity authorities doing a good job at KYC verifications process.