For the “who” question, I think when it is private KYC, trusted party with huge commitment to keep confidential and preserve data integrity must be chosen. Data integrity can be preserved in a confidential and trustless way (Just by anchoring in public chain the Hash of the ID received)
For the “How” it should depends for which purpose someone needs to be identified. Newspaper seller never need to identified his buyer. But if KYC become needed to operate in Europe or in Asia, a ENS owner willing to exchange with European or Asian companies requiring a conform KYC of their countries should pass both of them. We could maybe imagine a way for ENS to severals KYCs solutions represented by NFTs. The more KYC you have made the more you have NFTs linked to your ENS.
I share your fear that such information would create unintentional “classes”. And maybe KYC NFT should be needed only for action whose KYC is needed.