This is not how remote attestation works. It’s the whole point of the age verification of the wallet that such meta data doesn’t have to be stored. The data submitted is transparent and can be viewed before accepting the verification. It’s in the core concept that this process is unlinkable and the goal is to implement this with ZKP (Zero-Knowledge Proof) mechanisms.
That is in the technical spec for this proposal. It is designed for exactly this kind of requested online anonymity.
Does this have to be watched? Absolutely Yes. What you’re doing here is spreading FUD though without any proof whatsoever just because “iTs fRoM tHe gOv”. Now I don’t know your frame of reference and it’s probably a good idea to keep a healthy level of mistrust in place but(!) the EU does a lot of things correct and I take this over any system designed by a private company that is definitely always only interested in our best: money.
The source is the technical spec. Read this yourself more closely!
And let’s not ignore the demo part:
And yes it is good that people watch this carefully (and voice their concerns in a civil matter, which does not seem to be the case with most heated comments from your examples). But!
This is the very same with e.g. Let’s Encrypt. Or a VPN ‘service’. Or CloudFlare, that so many people love to hide behind.
What ifs. The spec does explicitly not allow exactly this and it’s our job to investigate such providers closely and in doubt start and run trustworthy providers ourselves. And Let’s Encrypt is again a prime example for something like this.
Oh and no nothing in the spec nails this down to Google or Apple alone. These are examples for smartphones for existing eco systems. I do not need a smartphone for e.g. AusweisApp and I will ask the same for E-Wallet because this is also in the specs (Interoperability) and explicitly not tied to some vendor specific eco system but to protocols and cyphers.
And this is where the next FUD may come in: TPM[1]. This does [also] exactly this: Device attestation and is a perfect candidate for regular PCs. That’s probably just the next can of worms for you though and with this I’ll end this discussion because even with plenty of What Ifs I do not see this solved from anyone in any better way - and again especially not from some company like Dis-fuckin-cord. This is exactly what a GOV exists for and they’d be sleeping on their job not providing digital ways for this very use-case.
[1] And just so that you may understand my POV on this: I demonstrated against TCPA back in the days. I can accept TPM tho. It’s a rather useful compromise and something similar exists for most smartphone ALSO. That is a good thing because this is responsible for keeping e.g. password wallets private. Something the “oh noes, Windows requires TPM now” crowd never understood - and this is from a die hard Linux user for decades.