> If the request allows checking arbitrary ages like Apple's, then you can get their age with a handful of requests. If one has to verify every visit, then you can get exact birthdate eventually.
If you assume a sensible rate limit, that entering the check is voluntary (and unlikely to fail), and that people age monotonically, then it's going to require a lot of cooperation from the victim to get more than a couple of bits of entropy.
I wouldn't trust Apple here regardless, since they are not the state and have their own separate interests.
You can get the age quite quickly with a binary search. If everyone is between 1 and 100, that's no more than 7 requests. The only way this wouldn't hurt privacy excessively is that it has to work the other way around. You, not the app, requests a verification token from a government API that only says you are above 18 which expires once in a while. The token should bear no other information about you and be single use so it cannot be correlated between different sites. For the US, it should also be on a federal level (the verification scheme, not the age verification requirement) to reduce the bits from knowing your state, which is a lot for small states.
If you assume a sensible rate limit, that entering the check is voluntary (and unlikely to fail), and that people age monotonically, then it's going to require a lot of cooperation from the victim to get more than a couple of bits of entropy.
I wouldn't trust Apple here regardless, since they are not the state and have their own separate interests.