there is email validation, and the public key is handled between the ssh client and server. If there is no valid public key this code would not even run. The fingerprint is prepared from this valid public key.
Regarding having the email in the ssh pub key: maybe it is there, but it is no validated. Anyone could write anything there
Regarding having the email in the ssh pub key: maybe it is there, but it is no validated. Anyone could write anything there