What are the downsides of matching by email in SSO logins (e.g. Google, Facebook, Apple, Microsoft)?
Context
I’ve read somewhere that one should not match by email (e.g. the email given by the Google JWT token) when using SSO (e.g. OpenID Connect) but it’s not clear to me why.
The recommended approach seems to be using aud and sub claims …