Because apart from appearing in person with your ID, it's the best way to prove someone's identity. That's why it's used in Germany through the PostIdent , which isn't the same as sending your pic holding the ID, you're actually verified in person too. That's the whole purpose of PostIdent. If companies want an official confirmation they should request it through official means and not over unsecured phones and emails. And it shouldn't be used for something as insignificant as a 50€ luggage claim. If that data is mishandled, the cost to the person will be far higher than 50€, trust me.

The more lax we are with the people who have access to our sensitive data, the more prone we are to become victims of their incompetence. To answer your question directly, as to the consequences of someone else have a pic of you holding your ID, it's simple. I could contact your bank, pretend to be you and do the ultimate confirmation by sending them that pic. How would they know I'm not you if the pic shows that I am AND holding your ID? This could be used to all sorts of scams, and it currently is: many Cryptocurrency websites requested this method of verification for all new users, only to get "accidentally" hacked once they had millions in currency AND sensitive personal data. This has happened to Binance, Cryptopia, etc etc.