The desire to pass "official data" from someone outside of the entity you're directly interacting with is the design flaw. Stop having that.
> Where ZKPs are used (eg for proof of age over 18) you're describing exactly what the proposal seems to expect.
I suspect that it isn't, because the only systems that actually work in terms of privacy correspondingly can't provide you with any way to identify someone if they're anonymously providing proof of age to anyone who asks, and then it would only take one person to set up a service to do that for everyone. Whereas if you can catch someone who does that you've just proven that the privacy protections aren't real.
> The system provides for an auditing service to ensure this doesn't happen without user consent.
You're suggesting that someone is going to audit something that happens inside of every private company. That's either going to be a box-checking exercise with zero effectiveness or a massively expensive ordeal that only compounds the problem by expanding access to include a set of government auditors -- or both.
The only way three people can keep a secret is if two of them are dead. If you don't want corporations to have your private information, you can't give it to them and then try to stuff the cat back into the bag. You have to prevent them from having it to begin with.
Laws requiring them to collect it are the opposite of that.