The other thing that bothers me about this - and it absolutely depends on context, what type of app, etc - this flow seems to assume/expect there to be only a single, authoritative email address for the user. Not just identification, but the identity itself. Contrast that to apps (e.g. like Github) wherein you can add multiple email addresses to a single user account. It is an architectural consideration to be sure, but that changes a lot of perspective as well.
E.g. just adding a 2nd email address to an existing account, you would simply reauthenticate the user, and then send notification-only email to all the other existing addresses on the account (as you do note that Google does), with an option to react or cancel (eg something like "If this wasnt you, let us know").
And cannot remove an address or change the primary, until the 2nd is approved.

I would like to make a suggestion, to review other large / reputable / reliable sites to compare this proposed flow with what they actually do, and their existing threat model for that flow. E.g. you mentioned Google, I mentioned Github - worth digging in a bit. My assertion is that we'll find that very few actually go through all this.
That said, to repeat my earlier comment: it really depends on context and type of app :-)

Originally posted by @avidouglen in #843 (comment)