Reading the emails is not enough: they would need to send some secret to the email associated with the account to link the power to exhange keys to ownership of the account. Just reading a legit-sounding email and relying on from-address is 100% suspectible to abuse.
This is a operation for people to have little sandboxes for fun. Not only is the threat model signify lower than your average social network but the blast radius too.
It’s also worth noting that there’s a multitude of ways one could take over these machines if they were determined enough. The entire principle behind this is giving people shell access for giggles. So we aren’t exactly taking about VPSs for serious business here.
While security is always important for anything online, it’s also important that security is balanced against appropriateness. Here the point is a little slice of the old days even though that does invite some risk.
It's also worth considering threat models. It may be worth risking account takeover if they can keep the reset flow user friendly. Not every site needs bulletproof security, this one seems lower risk.
