This project is not THE digital wallet, it is an early prototype of the wallet (which can be criticized for what it is, but the issue is somewhat orthogonal).
The actual infrastructure is not based on attenstation, if you read the guidelines (or the readme) they actually want to implement a double-blind approach with ZKPs, which imo is significantly better than a challenge-response pub key system in term of privacy as some suggested. And allows for cross-platform (and in theory hardware) support.
If you're not familiar this would mean the verifier doesn't learn anything except a statement about attributes (age, license, etc); and the EU doesn't learn what attributes have been tried to verify or by who.
This is misleading. They are merely exploring options that may allow for issuer unlinkability, but they are actually implementing a linkable solution based on standard cryptography that allows issuers (member state governments) to collude with any verifier (a website requiring age verification) to de-anonymize users. The solution is linkable because both the issuer and the verifier see the same identifiers (the SD-JWT and its signature).
The project is supposed to prove that age verification is viable so that the Commission can use it as a success story, while it completely disregards privacy by design principles in its implementation. That the project intends to perhaps at some point implement privacy enhancing technologies doesn't make it any better. Nothing is more permanent than a temporary solution.
It will also be trivial to circumvent [1], potentially leading to a cycle of obfuscation and weakening of privacy features that are present in the current issuer linkable design.
[1] >>44458323