im using the acounts package and i dont know if this is intended:
If my user receives an email with the verification link and lets say he does not click it but someone else is on their computer seeing the link, clicks it, and the user automatically gets signed. So ne wrong person has no acces to everything.
Something to consider here. If a person has access to that users inbox, they can easily reset any password they want.
The fact that they are already automatically logged into your users inbox is much more of a concern than them being automatically logged into your app.