I've some idea about the problem.
If there is a email in the id_token, up to the scope you use at the first time the user login in your app.
Remember, first time.
If the user login with authorize request without email scope, then you can never retrive the email of him even you use email scope in the later authorize request.
There is a way to retrive again, is that the user delete your app in his apple id setting, and login again with email scope.
It has wasted me a lot of time.
I think it's a design problem. But obviously, apple don't think so.