That's true. I lost count of how many posts I saw from my peers discussing the use of an exchange address for the sign-up campaign. Most of them seem to know the risk, but they probably think that they're quite confident it won't happen to them for whatever reason. That being said, I think it's still worth telling them the risk every now and then because education is the key to increasing awareness. How many times have we seen database leaks or users storing their seed phrase online? It can be tiring repeating what we said, but it's necessary for the benefit of the community.