That is the security researcher perspective, but it’s a UX nightmare resulting in a lot of confusion for normal users, because they don’t get any info if they even have an account or are trying to use the correct email address.
I used to think info about whether an account exists should not be leaked in the password reset flow, and I designed sites this way, but then someone pointed out that in practice a hacker would then just move to the account sign up flow to check for the existence of an account. (If account exists, you cannot make another with that email on most sites.) I never had a good response for that. I now lean toward the idea that not providing info is just not worth the bad UX.
> If account exists, you cannot make another with that email on most sites.
Many sites require you to verify your email before you can use your account. If you wanted to avoid leaking whether an account existed, you could show them a message like "if this account doesn't already exist, a message has been sent to your email asking you to verify it". If the account did exist, you might send an email like "someone tried to create an account with your email".