If companies are required to verify age, then it's in their best interest to store all tokens, just in case they are ever accused of not verifying it.

The Swiss E-ID system stores people identifiers and token status lists in their so-called "Base Registry". From https://swiyu-admin-ch.github.io/technology-stack/#credentia...

> Decentralized Identifiers (DID) developed by the W3C represent an identifier standard that provides a subject-controlled method for identifying individuals, organizations, or objects online. In the swiyu Trust Infrastructure, DIDs are utilized as a standard identifier for issuers and verifiers. They are centrally hosted on the swiyu Base Registry.

> In this protocol, the trusted authority issues certifications (“trust statements”) concerning the identity (i.e., who is the real-world identity controlling a DID) and legitimacy (i.e., who is allowed to issue or verify credentials of a specific VC schema) about an entity as SD-JWT VC and publishes these trust statements in the trust registry.

> Token Status Lists are signed, maintained and published by the credential issuers but hosted on the Base Registry.