Those are usually from automated user accounts, not actual bots.

But doesn't that prove the ineffectiveness of requiring KYC in this case? Bad actors will just scrape the private API, bypass the verification and do their mischief, while good users who want to create bots now have to compromise their privacy by providing identity information.

And the difference is?

Bots are officially sanctioned as such and have an application ID in the developer console as well as a label in the client. Alternatively, nothing's stopping someone from taking a user account's authentication token and making the same calls, but that's against TOS (Discord calls them selfbots). The KYC they use won't protect against this kind of abuse.

Not to mention the possibility of a widely deployed moderation bot being used to attack the servers/channels they're running on, en masse.