This is essentially the Birthday paradox. You need a quadratically better false match rate to deduplicate than to authenticate.
It’s also why Worldcoin went with Irises (highest entropy among biometrics), custom hardware, custom optics and an in-house trained algorithm.
The Iriscode (if it's the same as Daugman's iriscode) has tested so far to have 249 bits of entropy, or over 10^74 combinations [1]
So even with the birthday paradox you'd need 10^37 people before having a good chance of a collision, which is rather more than we are likely to have in the next few centuries.
Of course, it's possible that there are some subpopulations who don't have this amount of entropy in their irises, most obviously the small number of people who have a birth defect such that they are born without eyes.
This is a really good comment. But of course the problems in authentication and de-duplication are also different in that you care about adversarial false-positives much more once authentication is the goal. As I understand things, Worldcoin claims the retina scans won’t be used to control funds (or other services.) I am skeptical that many of those users will retain their non-biometric wallet credentials long-term, which will leave you with a database of biometric credentials that will have to be used for authentication if you want to use those credentials for anything important in the future.
