But these systems then are trivial to bypass by a person that publishes their private key for others to use as impersonation. If the site can't determine if the same id is used for multiple requests, they can't prevent it. And if the gov isn't able to see which site is requesting the data, neither can it.
Systems like the EU's digital identity wallet use hardware-based security. The private keys are generated by the secure element in your smartphone or something equivalent on a smart card, and any operations that need the keys during a verification are done in that secure element.
IIRC the new EU spec doesn't actually require using "secure elements" that could limit the user, only says they should be used if present. It shouldn't be hard to find some device where the hardware isn't present or is insecure to extract the keys from.
Or people could just proxy requests to the device, even with a reasonable rate limit in place, one donor could provide access for over a dozen people each day.
