Exposing such confidential data does need you to be a authorised service provider which most of the gambling sites aren't. Hence, they shouldn't be trusted with KYC documents either.
Now that you mention it, these guys are going to get in trouble with GDPR coming into effect tomorrow. Only data controllers and processors, as identified by the GDPR, will be allowed to request personal data - and they must be able to justify for it on several causes, plus be able to demonstrate compliance for data protection. My guess? None of these guys can do that.
I hope the next time they ask for someone's ID and that person is in the EU, the person contacts the Supervisory Authorities to go after them.