You're probably right about KYC, but KYC is just one of the four use cases presented by Stripe, and their customer logos include Clubhouse and Discord, which I highly doubt have KYC requirements or any need to access the underlying evidence.

Stripe could do this differently:

1. Allow the customer to choose whether or not they need access to the evidence.

2. If customer has chosen to receive access to the evidence, the Stripe Identity UI should clearly disclose this. (And they shouldn't try to deceive users by talking about deleting biometric identifiers.)

3. Require customers with access to evidence to adhere to certain security standards, similar to how they treat exports of credit card numbers: https://stripe.com/docs/security/data-migrations/exports#whe...

Stripe could have been a leader in setting high standards on how this type of information is handled. Instead they've opted to go the easy route and maximize profits while the rest of us pay the negative externalities from identity theft.