For what it's worth, I have a VM on their cloud offering and I've never had to provide them with an ID.

So how do you explain that I never have had to show an ID?

Just because Hetzner has had processes that can involve ID checks if deemed necessary for a long time doesn't mean that they check ID for everyone.

A large statistical model, likely run by some third-party attestation service, said so. It's mostly used to refuse service where governments require that (say, no service for North Korea), or to people known to repeatedly do fraud, etc. But false positives occur; sometimes an inspection by a human helps (send an ID).