Actually, the more I think about this the weirder it is as a threat model. Photo ID pictures are basically only worth the value of the info printed on them to an attacker. They’re likewise not really valuable to retain as a business, because you might as well retain the information as tabular data, and then have a checkbox for “we saw this on a physical ID”. The only upside of storing the photo of the ID is if a business doesn’t trust its own employees, so having the photo provides them a way to make sure their employee really checked it.

An attacker who pops my bank’s network doesn’t need to look for ID photocopies: my identifying info is in the database in an already parsed format.