A good starting assumption for this answer is that the only un-hackable database is no database at all.
Data protection legislation (GDPR) already requires data minimisation – only using and retaining the data required for the purpose at hand. It is possible to provide an age verification service without retaining anything other than a personal identifier e.g. a username (which could be “Mickey Mouse 123” or an anonymised reference number) and, of course, a date of birth. This is perhaps the safest route, accumulating no personally identifiable data of any use to a hacker. Any personal data used to determine the date of birth (or estimate an age range using artificial intelligence) can be deleted.
Some AV providers are also ID providers. To meet the standards of the AV industry, their solutions must allow the user the ability to disclose only those aspects of their identity they choose, such as their age attribute. Where this is the situation, the best practice approach to security is to make it impossible for any data to be retrieved without the user’s involvement – for example, by requiring a digital key that can only be supplied by them from their own device. Without that key, data, whether held remotely or only locally on the device itself, remains encrypted and meaningless.
The Age Verification process does not create any new databases of personally identifiable information at risk of being hacked.