The crux of the issue is that the verification only tells you if the barcode is valid. However, there are no strong relationships between the barcode and the rest of the visual content (photo, numbers, dates, etc). Therefore, one can overlay malicious data around the barcode.
The fix would be to allow the verifier to independently retrieve the license details after scanning the barcode, instead of just seeing a valid/invalid message.
In Queensland, our Police carry iPad. They can basically look you up and get your details on that iPad. I would imagine NSW Police would have something similar: scan the barcode, it verifies it's correct, and then they compare the face on the phone to the one they get on their iPad.
What is the point of each person holding a driver license at all (digital or otherwise) if the only thing that is trusted is the device of a police officer looking up an individual in a database and confirming a face match and/or passcode match?
Could a police officer just ask "I need to look up your license in the database. What is your name, date of birth and passcode so I can find your face in the database and confirm you gave me the correct passcode?"
I take it you're one of those lucky people who don't need to have the NATO phonetic alphabet rendering of their first, middle and last names memorized, because otherwise nobody will get them right.
The police would surely have that, but the app allows verifying anyone else's digital ID as well. Imagine the post office checking your address before handing over a parcel, etc.
Realistically it would be way better if the app didn't even show the face and other details, just the barcode which has to be looked up with a trustworthy device. Everything else is just noise
https://www.youtube.com/watch?v=oux3tI2V0sY