I've some idea about the problem.
If there is a email in the id_token, up to the scope you use at the first time the user login in your app.
Remember, first time.
If the user login with authorize request without email scope, then you can never retrive the email of him even you use email scope in the later authorize request.
There is a way to retrive again, is that the user delete your app in his apple id setting, and login again with email scope.
It has wasted me a lot of time.
I think it's a design problem. But obviously, apple don't think so.
Kicey
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution