If I were implementing something like this, it would just be a link to an auto-expiring viewer page, if you opened the email in a third-party email client.
And according to Google, that's exactly how it's implemented:
This is unfortunately how lots of people and companies think "secure" email needs to work. Any message from my bank or doctor works this way even it is something as simple as an appointment reminder. It is massive waste of user's time and programing effort, but I'm afraid that is where the world is moving.
Unfortunately doctors have to do this because the common legal interpretation of HIPAA and HITECH Act is that they have to.
Dates of service for a patient are protected health information. Most covered entities and business associates won't risk sending any PHI using methods that are not covered under the safe harbor provisions of the HITECH act. So... endless proliferation of "secure email" systems instead of using email. (And I don't see S/MIME taking off anytime soon as an alternative, even though that would be sufficient to qualify for safe harbor.)
I've already experienced this with employers and when buying a home using "HP SecureMail" and some Microsoft e-mail encryption. All they would have in the e-mail body is a link and I would need to validate my identity in some way to access the "protected" content through the website instead of it just being in my e-mail.
I agree that this is something to be concerned about but according to the instructions it doesn't require a Google login so you could do the entire session in a private browsing window if you wanted as long as you can get the verification code by SMS or the email address.
I assume the mail body is simply an URL pointing to somewhere the email can be read. Once there it would need to be rendered in the browser as an image.
“Malicious programs” such as any standards-complaint email software?