Fully open architecture so every point can be audited by every connection.
Security
Confidentiality Integrity Availability
Top down design of protocols by a security- and privacy-conscious organization rather than leaving security to corporations as a side item or PR campaign topic when their primary focuses are marketing, advertising, data collection, and intellectual property.
Stop using email as a trusted authentication source.
This is a case where using it was super convenient because you could have a personal identifier, an easy way to contact the user, and be reasonably sure that password resets would only reach the intended user all in one convenient plaintext string.
However it's also a single point of failure and if a malicious actor can get access to your email account, they can get access to most of your other accounts that use that same address
Edit: MFA being available in more places has reduced the risk of this happening, assuming that you use it and it's also deployed correctly. ie: it can't be reset from the same email address that your password resets go to.