Of course.

One could ask what is better, use services which do the KYC themselves, or those who engage a third party authentication service?

In general, I think I'd prefer the third-party service, because they should work with the newest standards regarding identity theft protection and storage of the documents. Ideally, they wouldn't even need to store them, only to give an "OK" to the service provider, that the data of their users is correct. And the "verified data" items should also be stored more safely, of course.

One could argue that identity verification services could be an especially interesting target for hackers to steal identities, but I guess these would target mainly smaller services knowing that their practices aren't on the newest state of the art. Only in the case of a big, established service provider I'd accept them to do KYC themselves.

The problem is of course that often you don't even know who does the KYC verification - the crypto service provider or a third party, and which third party. So you don't know whom you'd have to trust. It is definitely better if they clarify this on their website or in their ToS.

I thus agree that there are many problems with KYC and it should be avoided if possible. But for some service categories it's difficult, and thus I continue to think that thinking about "best practices" - or better: "least worst practices" - isn't a bad idea.