My concern is more private use. I get my face scanned to enter my workplace, and the (biometrics) company state that they retain that for up to 3 years beyond end of employment.

To me, that's up to 3 years too long.

And I don't "mind" it, so long as that information was stored locally and could be purged by HR when an employee ls no longer employed, as part of an after-employment checklist. For example, if you have a company with 700 active employees, then on your LAN you have the biometric hardware/software operating and it contains no more than 700 faces, and doesn't face anything public, as it's only used to allow/deny entry to the building. Doesn't need a web facing control panel, no need to store that data 'in the cloud', etc.

But, that's not how things are done. The biometric company could be bought up by another. It could be hacked. It could be secretly funded by any alphabet agency or sharing data with them.

If it was private use, open source, localized installs across companies and company owned worksites... no problem.

As far as public stuff goes? I'm kind of with you. I have cameras. I use them. Moreso when I lived in the city. Shortly after installation I thought all the hoodlums were casing cars on the street because they were walking in the street instead of on my sidewalk. Turns out they noticed the cameras and thought they were out of view of them if they just walk in the middle of the road. Nope, I still see ya buddy.