EUDI wallets are connected to your government issued ID. There is no "highly invasive age verification".
We are literally sending a request to our government's server to sign, with their private key, message "this john smith born on 1970-01-01 is aged over 18" + jwt iat. There are 3 claims in there. They are hashed with different salts. This all is signed by the government.
You get it with the salts. When you want to prove you are 18+ you include salt for the "is aged over 18" claim, and the signed document with all the salts and the other side can validate if the document is signed and if your claim matches the document.
No face scanning, no driver license uploading to god-knows-where, no anything.
> to obtain 30 single use, easily trackable tokens that expire after 3 months
This is the fallback mechanism. You are supposed to use bbs+ signatures that are zero knowledge, are computed on the device and so on. It is supposed to provide the "unlinkability". I don't feel competent enough to explain how those work.
> jailbreaking / "prevent tampering"
This is true. The eidas directive requires that secret material lives in a dedicated hardware / secure element. It's really not much different than what a banking app would require.
> You have to blindly trust that the tokens will not be tracked
This is not true, the law requires core apps to be opensource. Polish EUDI wallet has been even decompiled by a youtuber to compare it with sources and check if the rumors about spying are true. So you can check yourself if the app tracks you.
Also we can't have a meaningful discussion without expanding on definition of "tracking".
Can the site owner track you when you verify if you are 18+? Not really, each token is unique, there should be no correlation here.
Can the government track you? No, not alone.
Can the site owner and the government collude to track you? Yes they can! Government can track all salts for your tokens, site can collect all salts, they can compare notes. There are so called policy mitigations currently: audits and requirements for governments to remove salts from memory the moment stuff is issued.
Can they lie? Sure.
Can the site owner and the government collude to track you if you are using bbs+? No. Math says no.
Can they lie if you are using bbs+? Math says no.
The "open source" apps connect to proprietary backends run by a third party that you have to blindly trust. If EUDI wallets were truly open source and free from blindly trusting any authority, then you could simply remove that requirement and issue your own tokens without the use of potentially malicious third party.