Let's say I have made an alias from bob@duck.com to bob@example.com, I don't need any verification from Bob to be allowed to do that. Therefore I can do stuff with that email now, including registering in websites with the duck email, and send emails to Bob from that website.
Well I can't tell in how many ways that can be harmful, but for example if Bob is tricked to click to the legit link from the website and enter his personal information, then I can change the alias to my own email, reset the password and have full access to Bob's verified account, so yeah, that's one big flaw IMO.
But that's only if someone knows that your email is bob@duck.com, right? (And the same would happen if someone knew your true email address was bob@example.com - they could just send emails there.) I think the intended use case is that you use a different and unique alias, e.g. randchars83@duck.com, for every service. At least, that's how we intend Firefox Relay to be used. Then you can just throw away that alias if it starts getting used for unwanted messages.
Well I can't tell in how many ways that can be harmful, but for example if Bob is tricked to click to the legit link from the website and enter his personal information, then I can change the alias to my own email, reset the password and have full access to Bob's verified account, so yeah, that's one big flaw IMO.