An attacker is going to take the path of least resistance. Are they going to spend several hours trying to edit out your watermark and end up with a result which might still be rejected by whichever service or bank they are trying to fool, or are they just going to move on and use someone else's KYC data instead? When KYC data is widely available to be bought on black markets for ten or twenty bucks for hundreds of users' worth of data, then an attacker is simply going to ignore the one user who has a difficult to remove watermark.

Although obviously neither is good, there is a difference between something like a hospital leaking your documents and something like Ledger Recover leaking your documents. In addition to the risk of identity theft which is common in both scenarios, if Ledger Recover leak your data then you make yourself an instant target for crypto thieves, attackers, and scammers, as well as losing all privacy since your wallets/addresses/coins are now publicly linked to your real identity.

The usefulness of much of your data to an attacker is time limited. You can't take out a loan with an expired passport or ID card. If somewhere is asking for a copy of a recent bill, they usually want it within the last few months. Every time you complete KYC, you reset the clock.

Yes.

I have never once completed KYC with any crypto service, nor will I ever do so, yet I would wager I spend, trade, send, and receive bitcoin more frequently than 99% of the users on this forum. Bitcoin was designed precisely to avoid centralized third parties. KYC is not the default position - quite the opposite. Rather than asking why we avoid KYC, you should be asking why so many other people are happy to complete KYC.