I admit that I am pretty ignorant to the really technical aspects of security but it seems that using authentication data for anything other than authentication is poor practice. I can understand the desire to use facial stuff to make interesting technology but I would prefer knowing that it is only used for the purpose of unlocking my device and nothing else. It seems fingerprints are less interesting for other apps so there wasn't the same motivation to share it.
Am I being an alarmist or is it reasonable to be concerned about this?
There's a missing link between "third-party apps have access to the depth sensor data" and "depth sensor data is used to identify your face for FaceID". The iOS biometric authentication API is basically just a call for the OS to check your information and return whether or not it succeeded [1]. Third parties can't just take the biometric data and use it to bypass your authentication without having physical access to your phone.
Am I being an alarmist or is it reasonable to be concerned about this?