That only works in the context of when the sender isn't the adversary, which isn't the case in an age verification system - it very much does treat the sender as the enemy and untrusted. And again, the revocation chain on the backend is not zero proof.

That's only an issue if getting the proof involves somehow identifying the service you are sending it to. If it's a generic 'send me a proof' it's not necessarily a problem, though of course it would be better if you could just generate your own proof.