The attacker can see all email addresses for all users on your site. This is normally privileged info that even moderators have to click a button to reveal.
Click a fucking button. I'd forgotten about that
Should moderators have access to a user's email address?
It's privileged info
Add a button and make them click it first
What colour should it be?
Well, the basic idea seems sensible since it could be used for auditing. Does that actually / could it actually happen with Discourse though?
We hide email addresses using CSS that shows the address on hover because we just don't want our mods or admins accidentally screenshotting a user's email address.