The fatal pitfall of password recovery on not E2E encrypted media.
It is common to see many webpages allowing you to recover your account using only your e-mail address without further encrypting your key, this is a fatal error of the internet of today which must be solved the soon better.
Google can read your mail if you use Gmail (Microsoft if you use Outlook) and do not encrypt it using GPG or other E2EE scheme, Google in fact does it to show personalized advertinsing, but what happens if Google someday is cracked?
If somebody manages to access your mail unauthorized he does not need nothing more to be able to reset your passwords and steal your accounts.
This is a problem E2EE can help to solve, with E2EE the private key you use to read you mail never goes out of your computer, so nobody can read your mail or messages no matter the got unauthorized access to the server.
This would improve the overall security of all users and of course their privacy.
Webpages should care on providing a way to send recovery messages encrypted for a concrete private key this can be done thanks to the public/private key scheme where you submit the public key on sign-up and the webpage encrypts the recovery messages using that public key so the message can only be read with the equivalent private key.