Yes because that's the same as requiring two passwords. It's even more secure to get three or five. But using the email address serves a different purpose, people rarely forget them.

Not really, in the event of a leak, two hashed passwords leaks less information than a hashed password and an email address.

Why have 2 not 1. Well one of them has to be globally unique on the site, the other has to be hard to guess. Two different requirements.

You can say that for sufficiently high values of hard, "hard to guess" implies "globally unique".

It is also a built in way to do password reset, and they are automatically globally unique, by definition.