because if you know someone's email address you have now also discovered that they have an account with a particular service which you should not be able to do.
Can’t you do this anyway on the service? You are assuming there is no rate limiting and the passwords are used directly as bearer tokens to access the site.
But since you are giving advice to the DESIGNER of the site, why not simply tell them not to use passwords? https://qbix.com/blog for example
As soon as you find a valid login, you can test all known passwords (plus variations) associated with it.