Right, but those companies don’t know what services people are trying to use Verify for (in the same way that the services don’t know which identity provider you used). The part of Verify that uses Piwik is the hub in the middle that brokers the identity flow.
But you still have to give the Verify companies enough data that a breach of their systems would be very serious. Eg. If the Post Office (an organisation that recently falsely sent a load of employees to prison due to their own cocked up IT project) gets hacked, they have (or could have) dates of birth, 6 years of addresses, email addresses, etc. of a good number of gov.uk users.
You don’t give the majority of those details to the Post Office (or other providers), they ask you questions about the data they already hold on you. The passport and driving licence information is checked via APIs provided from the government to accredited companies, and the system is designed such that that data isn’t stored by the identity providers (beyond a flag to say that that form of identity has been verified).
