[hakfoo]

Trying to control data by by format restrictions seems a little iffy.

If you offered a "isOver18" call to avoid exposing an actual age or date of birth record, you'd have to offer a whole range of others for a lot of legitimate needs (isOver21 for alcohol sales, isOver59.5 for some retirement account stuff, isOver55/60/65 for senior discounts, etc).

You could chain a bunch of those to at least pull a marketing-sufficient age category, and potentially a full age or DOB depending the number of such functions offered.'

If the identity providers asked users each time for consent a verification request cane in, that could limit that abuse pattern, but I suspect it would be the sort of thing where users got notification fatigue very fast and just start clicking "don't ask me again".