A huge criticism of Aadhar is that with Aadhar, a court order isn’t necessary. The Aadhar act allows any lookup authorized by mid level bureaucrats.
Also, given that a lot of Aadhar data has leaked (even the biometrics have leaked in some states[2]) and given the lack of privacy legislation in India, it’s trivial for private entities, including scammers, to know your bank accounts.
Wide availability of bank account info has enabled a number of social engineering attacks[1].
Separately UPI remains vulnerable to SIM cloning as the phone number is crucial to UPI identity.
