your KYC bitcoin provider requires you to receive using a multisig address in the same way they would require you to receive using a covenant. If you search you can find interviews of Adam Back talking about this exact subject. His opinion covenants are not a threat that is not already a threat by multisig
Discussion
I would need to research more about the specifics but my intuition is that although it’s possible, it wouldn’t be practical to implement and/or not scalable. It seems that #covenants would make it very easy and that’s why they are dangerous. Pointing this as the argument to justify that #covenants aren’t a threat seems weak.
restricting with recursive covenants would be extremely complex to do, just like a multisig KYC lock would be. But both are possible in theory. One can be done today, the other requires a softfork.
Your intuition is wrong, so I suggest you take your own advice and research more.
A whitelist address server is far more scalable than bitcoin. It would also be quite possible, practical, to implement. It could be done today with multisig. You simply have a 3rd party api that you call to get a signature for the multisig send. If the output address doesn't appear in the whitelist, signature denied.
This is the same thing they could potentially do with covenants except it can be done today without a softfork.