That’s one way to put it…
But I assert that no SmartThings Customer expects their Email Address to be revealed to any third-party unless explicitly requested.
More generally, please refer to the very big hubbub that resulted from 3rd party smart home security researches eviscerating SmartThings and is described in this Topic below (and the half-dozen or so Topics that are linked to it).
The access to device.owner absolutely falls into the same general category of concern. I hope that @slagle or @dlieberman or designates give it the same level of response.