you ask the user for it if they want to recover the account and hash it. if the hash matches your previously stored hash then you send the email
other providers that position themselves as secure for activists or journalists do exactly that and they cannot handle that information
in that particular case the people involved were identified through their recovery email which they did not hash like 'safe' other providers do. they have positioned themselves as safe even for activist and journalists and have failed to deliver in that account consistently.
no surprise since their CEO is a MAGA guy
there has been in the news several instances where proton has given to law enforcements information that have hold onto. in some cases regarding journalists.
their answer is always "ah, yeah. we do keep that one, but not the other data"
before you ask...an example https://privacyradar.com/news/privacy/proton-mail-payment-data-stop-cop-city-activist-identified/
and even with that, recent iphones are way easier to repair than a few years ago. I would not say anyone can do it, but it’s definitely easier than before when you basically had to disassemble the whole thing
I’m convinced that is a generated metric that is far away from reality. the objective is too make their product seem better than it is