You can indeed get fingerprints from high resolution photos or from surfaces, but those attacks don't scale. It's really hard to collect bulk information that way.
The concern is not what the school is planning to do with it, but what happens when the data (inevitably) gets breached. We've already seen one company that collects this data (not for schools) in a supposedly secure manner suddenly leave it all exposed unencrypted on the internet by accident.
And I would absolutely not rule out the possibility of this data being sold to the highest bidder like you say. There are already questions around the data that the NHS app is sending to a company owned by a Tory donor. I assume that schools are not running these systems themselves, and I would never trust a third party not to abuse it.
Government or law enforcement will absolutely be able to access the data if they want to as well, the GDPR principles do not apply to law enforcement or security agencies.
From 2019-2022 I managed a sales team for a company who developed and sold their own biometric fingerprint readers.
The technology in so far as 'data' i.e the fingerprint itself is completely sound - the data is immediately (the fingerprint) encrypted into binary data 0's and 1's - and cannot be reversed engineered into an image of that finger again.
Now the software behind the hardware, contains profiles which you can elaborate information upon depending on the application of the fingerprint reader. So for example a school may have - persons name, age, school, form, and transactional account with which the student could make the purchases.
This software is the same as any other software in terms of vulnerabilities, and equally potentially and able to be protected to the same degree as any other software.