Does the auth flow for id.me go through that domain on the ccTLD or do they use a different gTLD for the auth flow?
If the auth flow for a government service goes through a foreign nation's ccTLD, that's a terrible, terrible precedent to set. Hopefully the US is on good terms with Montenegro, now and forever.
Montenegro and Domen D.O.O. Podgorica, the company that runs the .me domain, can redirect the domain as desired, without effective repercussion or recourse. Domen's and the Montenegro government's beneficial owners are not publicly known. One would hope that the security relationship between the IRS and ID.me would be effective enough to defeat such an attack, but we don't know who the beneficial owners of ID.me are either, or anything about its infrastructure and supplier security... But one expects they would happily sell that information anyways.
If the auth flow for a government service goes through a foreign nation's ccTLD, that's a terrible, terrible precedent to set. Hopefully the US is on good terms with Montenegro, now and forever.