Blockchain claimed their service as a noncustodial wallet service. But I doubt it's not a true noncustodial wallet. It's pretty sure blockchain staff could see the wallet id and emails as well. To be more honest, even a site would code like this that staff would directly log in to the user account without a password. If the site isn't open-source we can't verify it and without a web developer expert who can read the code language, no one could detect it. So abusing the system is possible. But if there is an activity log on the admin system, then it's possible to detect who abuses the system. Because if someone scam by blockchain staff, then I think the user will not stay calm and eventually authorities would notice it. Anyway, I believe the story op mentioned on the thread is an issue of hacking. If someone would hack the email, means it's pretty easy to find the wallet id. Then hacker could change the email accordingly.