[3np]

Sure, there's no silver bullet and the author never claimed it's perfectly secure (is there such a thing?). But this is definitely an improvement - it clearly limits exposure.

To successfully do a brute-force the attacker would also need the salt, which means that the database by itself will not yield any e-mail addresses.

[yobert]

Another benefit isn't a security one, but a user-friendliness one: This forces all emails to your users to be initiated by them in some way, which limits future business decisions about sending email by automated processes. Good for users, but may be bad for business.

[sroussey]

Also, possibly illegal. If you have a data breach, you must contact your users.

Probably better to use encryption with public / private keys.