> A site can still choose to have a login system if it wants to. Sites can still rate limit based on IP address or cookies or whatever they use today.

So then you don't need either attestation or government IDs, right?

> The idea would be to use ZK proofs to demonstrate that "yes, this anonymous request is from a client acting on behalf of an adult human EU citizen" - that's something that is not easy to do today.

But how is that even useful? Is it good to exclude real people from Korea or South America? Do we really expect criminal organizations or for that matter even children to be unable to find a single adult EU citizen willing to anonymously loan them an ID?

It's about as plausible as criminals being unable to run their code on a device that can pass attestation. They're both authoritarians with a conflict of interest trying to foist a hellscape on everyone under a pretext their proposal can't even really address.