Age verification in general is not intended to defend against people lying or using stolen credentials. If you’re 13 but know the password to your dead grandpa’s account and the website in question has no idea he’s dead, there’s no way to defend against that, with or without a ZKP.

What the ZKP does is let you limit the information the site collects to the fact that you are under 18, and nothing else. It’s an application of the principle of least privilege. It lets you give the website that one fact without revealing your name, birthdate, address, browsing history, and all your other private data.

What prevents one kid in a friend group or in a school from sharing the same identifier?

After all - if it doesn't share anything other than a guarantee of the "age" of someone who is authenticating with the website then how would the website know there's re-use of identifiers?