Does that even matter when the same set of eyeballs theoretically produce the same hash? It leaking has the same effect, what more benefit would having the “real” eye scan have to an attacker that just wants to use your bank account?

I guess if every PoS that supports bio also required a camera and human verification, then you couldn’t just pass the hash to some API