When a German eID or eAT (residence permit) is electronically read a restricted_id can be created if the reader requests it.
The restricted_id is bound to the card and the reader.
Every time the card is read the same restricted_id is created.
This is like an OpenID Connect PPID or Mobile Connect PCR.
The restricted_id should be stored in the claim.
Deutsche Telekom is using restricted_id when reading eIDs according to TKG §111.