Also my id, I think, is just an optimism crypto address 0x93bf030f706e81197856e76c8a3b326640... with no name attached. You'll have a job stealing my identity with that, any more than it's easy to steal Satoshi's because you know his public bitcoin addresses.

I mean if you go to a credit card company and say I'd like to get a card in the name of some guy I don't know the name and address of but here's one of his public keys, I don't think you'll get far. Certainly not compared to getting my real name and address which is fairly exposed on the internet via phone directories and the like.

I don't think if say the photo of my iris's leaked online it would be much of a problem in the same way that the rest of my face is online and it's not much of a problem because no one accepts some photo off the web as proof of id.

One thing I think may be flawed is if I say hi I'm Tim, send me some money to the above address, then you can see all my other transactions to that address on the blockchain which breaks anonymity/privacy a bit. I'm not sure if they are going to fix that by say issuing disposable addresses but I haven't seen that so far.

I don't know why you're comparing a high definition full iris scan to random photo of you, they aren't the same things. The point is security is made of things you know and things you have, and eyes are hard to pass around, so someone being able to "have" your eyes to fool a scanner is useful for many classes of attacks, we don't need to know the full attack chains yet to know it's inherently a risk because it turns a thing you have into a thing you and Worldcoin and whoever worldcoin sells or gets hacked by - all have.

Even if it's encrypted, if worldcoin gets breached in a particularly bad way (say root to their production servers) then the unencryption mechanism and keys could be leaked along with the encrypted data.

The point being that just because something is encrypted doesn't make it foolproof against everything.