You are correct that those who steal the KYC document or hack the KYC document never share the details publicly and don't say where the document came from. At the same time those who purchase these types of document never share the details of the document, where to use the documents or from where it came from.
People must be responsible to keep their very important and sensitive documents like identity documents safely. If they lost those documents to hackers, it's their responsibility by having bad security practice on their own devices. If they did KYC on one or some platforms, their identity documents can be leaked, sold or whatever by those platforms and they can not control it, though they must think of why they decided to do KYC.
Why KYC is dangerous and useless.If they want to dive more into privacy, there are many resources.
Bitcoin privacy resources.