Every place I've used that, email addresses are not publicly visible. To compromise that, they'd need to guess the very long random email address and its very long random password.
I've seen instances where the password recovery workflow indicates the email address to which a reset request has been sent, or other mechanisms by which addresses may be revealed.
That's far less frequent now, and definitely not best practice.
However there may also be bugs and data breaches which reveal such information.
