because it's guessable. If I sign up with Coinbase@example.com, real Coinbase will send me legitimate emails to that address, as well as scammers, so I have to dig into the headers to make sure the email is or isn't forged.

Once the Coinbase database is leaked, that's going to be the case no matter what your address was.

yes but I can be sure that coinbase_xyz@ is from evil while coinbase_abc@ (the new address that I changed it to, post-leak) is probably not from the hackers unless there was a second breach.