There are only two real ways to implement that. One is the "attribute certificate" is still tied to your full identity and then people won't be willing to associate them. The other is that the attribute certificates are fully generic (e.g. everyone over 18 gets the same one) and then someone will post it on the internet and, because there is no way to tie it back to a specific person, there is no way to stop them and it makes the system pointless.
Correct. In practice the latter isn't really possible because the issuer can always record the subject public key info, or the serial number, or a hash of the certificate, and they can then use that to identify the real subject. However for low-value things I might use them.
No, you can do the latter. You literally have a secret that implies the bearer meets the particular characteristic (e.g. is over 18). They don't each get their own certificate, they all get the exact same one down to the last byte, so you can't correlate it with anything other than the group of people who are over 18.
But then there's nothing stopping any of them from sharing the secret with people outside the group.
That's going to make it less economical, but it still doesn't even fix it. Even implausibly assuming the cards are perfectly secure so nobody could extract the shared private key from any one of them, somebody who wants to share their authorization could just plug their card into an internet-connected machine and have it sign for anyone else at will. If you give them the ability to sign you might as well give them the private key.
The basic problem is that there are people who will have the credential but want to thwart the operation of the system. If you can't unmask them then your system is thwarted. If you can, your system is an invasion of privacy that would have chilling effects because you're demanding for people to tie their most sensitive activities to their government ID.
