In all KYC schemes some trust is needed to the employees of identity services. The problem is that if a services store a high-resolution images of its users and their ID documents, if they get leaked much more harm can be done than with basic info or low-resolution ID document copies.

No, it's not needed normally. For example website owners often can simply access their servers via SSH which uses a simple asymmetric encryption scheme, you store your public key on the server and authenticate with your private key stored on your device. (Well, and also Bitcoin works this way )

The same principle can be used for all kinds of communication. If the customer has a Nostr account (an open source social network), then he can identify simply with his private key and exchange messages, chats etc. so this could be even used for "contact".

The big advantage to use a Nostr-like system to authenticate instead of email is that the user can create as many Nostr accounts as he wants, and everything is done on his own computer, so there is no intervention from a third party like an e-mail provider. So it's much easier to create one account for each KYC service you use, and thus for hackers it's more difficult to link the data together and build identities.

That this kind of registration isn't very popular for typical "massive" internet (and also crypto) services is true, but technically it's absolutely no problem.