Yes it is vulnerable to an attacker who is willing to present himself in person with a fake ID to target a specific account. However it's not scalable or remotely exploitable.
Since it requires a human looking at an ID and then pressing a button, the system triggered by the button press is likely quite exploitable no? Or even worse, scanning and storing an ID, which allows spoofing if those get compromised.
Recovery key isn’t susceptible to that - and isn’t susceptible to fake-id-spotting-ability or bribeability of staff either.
