Ideally the law would require websites (and apps) to provide some signed age requirement token to the client (plus possibly classification) instead of the reverse. Similarly OS and web clients should be required to provide locked down modes where the maxium age and/or classification could be selected. As a parent I would the be able to setup my child device however I wish without loss of privacy.

Is it bypassable by a sufficiently determined child? Yes, but so it is the current age verification nonsense.