The reasonable use case for this seems to be that you'd send a request for payment as part of a payment processing system.
So, user is on your site wanting to buy something, selects "pay with coinbase", and you ask for their email, then send the payment request.
In that case, you'd want to know that the email isn't in Coinbase's system so you could tell the user that the request didn't work, and can they check their email address or try another form of payment.
A reasonable way to limit this would be % of attempts that fail. If you're using this call reasonably, then the ratio of success to fail calls should be in some reasonable range. If it's too high, either you've designed a very confusing interface for payment, or you are doing something fishy.
At a minimum, it would be nice if they just stopped providing users' full names when a request is valid. While it does increase someone's threat surface to have their e-mail address identified as a coin base user, it is even more problematic to link names to accounts and makes it easier to spear phish.
They addressed that here[1]. Sending invoices to lists of clients is specifically something they want to allow.
And anyways, an attacker could simply sign up for multiple accounts.
I don't think much of Coinbase technically (terrible execution in the past, use of MongoDB), but this breathless report is really overhyping an minor design decision on Coinbase's part.