If you've ever been carded at a bar/liquor store in a foreign country, then that random small business has seen your passport, no? How do you feel about that?
Being human to human, unless they're wearing tech that would allow them to scan/archive it, normally they just verify (eyeball it) and you get it back.
Here, with this system, they could verify and keep the data regardless of what I think is going on.
If you can't assume that a website you upload a scan of your ID to isn't capturing details about it, then you can't assume that a bouncer checking your ID isn't wearing a surreptitious HMD, no? In both cases, you're submitting your PII to an unknown process that seems like it should be safe, but with no previous experience or brand-image there to tell you whether there's actually any proof that it's safe.
That's a silly stretch. It's vastly more likely that a website fetching copies of a passport image is leaking copies or leaving the files where it shouldn't by accident and has the data exfiltrated by third party identity thieves, compared with a bouncer having a secret scan-quality camera installed by identity thieves without the bouncer noticing.
Who said anything about the bouncer not noticing? I'm presuming that the bouncer is the identity thief. If you're looking to make money as an identity thief, being a bouncer is the perfect job!
There was a story on Reddit a few months back, about a bouncer who, when handed real ID cards, claimed they were fakes, and proceeded to immediately "cut them up" (so that people didn't feel any need to demand them back, since what are you going to do with scraps of an ID card?) The bouncer was actually palming the real ID and cutting up a random piece of plastic instead, and then later handing the real ID card off to the owner, who sold them on the black market. One victim of this scheme figured it out after being a victim of identity theft, as they traced back a submitted capture of the photo ID that some third-party had retained, to the one that got "cut up." The police raided the establishment, and a whole ring of people were caught up in it. It was a whole thing.
There's nothing that leads me to believe that this isn't a simple, obvious, repeatable, low-stakes, high-margin criminal business model. As such, it probably happens a lot.
I would still assume identity theft via websites being hacked is a lot more common, and likelihood is an appropriate factor when evaluating protective actions. But you make a good point about the bouncer.
In EU, you don't hand over ID/passport like credit card in US. You show it while keeping it in your hand. Second party can verify your age, while being unable to copy stuff like machine readable zone.
Here, with this system, they could verify and keep the data regardless of what I think is going on.