Prerequisites / Assumptions

Duplication of RO cred can be simple and so mitigation like short time duration and online verification are often employed to prevent replay attacks.
Note that online verification is a privacy risk of the issuer leaning where the cred has been used. This logging is also considered to be a positive security feature as attacks during of after presentment can be evaluated.
One well-know replay attack against a smart health card COVID credential is that when installed on an Apple wallet, it can be displayed to another phone which can capture the cred and install in the reader's wallet.

Use Case Details

...