> the usual flow is rather like Google's OAuth - the site needing you to prove your age rediects to the provider (Google, or whoever), who asks questions to verify your identity, and then replies with "over 18" or "not over 18".
This is false. There are many problems with age verification, but the EU approach does not involve the id provider in the verification flow. The site requiring verification presents a QR code which encodes a presentation request and the provider controlled URL which is to receive a presentation of the age credential, and then the smartphone generates a unique presentation signed by a device bound key and sends it to that endpoint.
It is however true that in addition to the one bit of information saying age>18, what is also revealed is the public key of the identity provider. This will at least reveal the nationality of the credential holder and - in the case there are multiple issuers within a nation - may reveal even more information about their demography.