The risks of retina scanning are the same regardless whether in blockchain or any other domain. The company collecting your retina signature/hash/data gets breached, your PII is stolen, sold on the black market, and criminals use your biometric data to create fake, fraudulent identities and accounts and steal stuff in your name. This is already happening, just without the biometric data.