It’s impossible to do without exposing a private signing cert to everyone, yes. That’s the issue.
You can’t do asymmetric key signing anonymously and with a central issuer.
So either you have to just trust the assertions (0 security) or you have to have a trusted issuer (not anonymous)
A pseudonym issuer is a trusted issuer. There’s no way to do it otherwise. You have to trust someone to make this kind of system work.
It’s less idiocy and more laziness. Any amount of inconvenience is too much for a lot of humans, unfortunately.