Wouldn't the age verification provider then be able to retain logs of what exact credentials it signed and for whom? And if the certificates are identical for every user, couldn't everyone change the presented certificate for the universal correct one?

Second one is a lot more sensible.