In the case of E2E encryption, it's definitely a hill to die on, there is no way to make a backdoor "only the good guys" can access. But in this case, the long standing refusal for the tech industry to engage in even the lightest of lobbying towards having legal regulation for standards seems to bite us in the ass every now and then. We've seen it time and time even for things that are non controversial and would clearly benefit everyone: why is BCP 38 not mandated by law in any country? Why is IPv6 at the ISP consumer edge not mandated by law?
All of this could have had the same effect if instead of putting the onus of age verification on millions of websites, you instead put it onto the "customer end device", with some definition as to have it only apply to anyone who sells devices used to access online content with more than X% market share (meaning effectively Microsoft, Google on behalf of all Android OEMs and Apple, plus TVs and console makers).
You'd also put into law what content providers need to do to become compliant. It drops from "having a robust system of age verification" into "if you're serving content over HTTP and your content is for over 18, you need to send a specific over 18 header". If you're publishing an app on a walled garden app store, you need to specify the age rating (as one does already). If you state your page is good for under 18s when it's actually over 18, you then incur a fine.
Then it's really just up to OS makers to build support for the above into the parental controls functions that mostly already exist. Implement the header checking on the browser. Then restrict over 18 apps and outside app store that aren't explicitly authorised: this ensures no alternate browsers could be installed or ran by a child, while leaving them freedom to roam the web and install under 18 apps. The issue with existing parental controls is twofold: the web is a wild place and manually vetting every single app your kid wants to install is overbearing so everyone gives up on parental controls.
Then it's a matter of, when you buy a phone for your kid, you click a button "the user is a child, enable parental controls, set the grown up password". If parents fail to even do this, then clearly it's their own fault?
You'd specifically leave out non-HTTP protocols and leave a bunch of technical loopholes that could be exploited by technically minded people. It would both limit the amount of wreckage to things the common people doesn't even know it exists and make sure this wouldn't creep into places it doesn't belong. Sure, teenager who downloads Arch into a USB pen drive and boots off it can then access whatever they want, or someone who finds they can get into IRC and XDCC a bot for hot JPEGs, but at that point they clearly earned it.
I get the feeling that we've fucked it, left very important regulations up to people who have no clue and now we get the most onerous and worst implementation possible of things every single time put into law. We could have done the same with cookies, there's like, three browsers. Remember P3P? https://en.wikipedia.org/wiki/P3P
You can make a backdoor that only the good guys can access--it's not even hard thanks to public key cryptography. The problems are:
(1) The good guys might be sloppy in how they handle you data, so they might leak or or they themselves might get hacked.
(2) The good guys might later become the bad guys.