There are three different type of biometrics verification Remote, Interim and Local.

— Remote assumes that you send your biometrics(scan of iris, fingerprint, etc) to the remote server. That’s what Police, Home Office is using.

— Interim means that a unique, persistent, identifier of the biometric is generated by the interim, like fingerprint scanner, and that identifier is sent to the server. This is used for example by Disney World, where they generate your fingerprint identifier, which allow you to access park without ticket.

— Local is what modern smartphones do. They record your biometrics into the secure enclave or TEE, on the device. When you unlock your phone with your biometrics, the verification is done on the chip. If verification is done successfully, it will unlock secure enclave, thus allowing access to cryptographic APIs, and return status of verified. No biometrics is ever leaving the device. Same goes for biometrics passports.

So biometrics is good, so long it is used for local verification.