Blockchain claimed their service as a noncustodial wallet service. But I doubt it's not a true noncustodial wallet. It's pretty sure blockchain staff could see the wallet id and emails as well. To be more honest, even a site would code like this that staff would directly log in to the user account without a password. If the site isn't open-source we can't verify it and without a web developer expert who can read the code language, no one could detect it. So abusing the system is possible. But if there is an activity log on the admin system, then it's possible to detect who abuses the system. Because if someone scam by blockchain staff, then I think the user will not stay calm and eventually authorities would notice it. Anyway, I believe the story op mentioned on the thread is an issue of hacking. If someone would hack the email, means it's pretty easy to find the wallet id. Then hacker could change the email accordingly.
Blockchain.com openly admits that they see wallet IDs and emails. This is how I was able to change my 2FA email back to previous.
Actually it's quite possible that Blockchain.com found the thief, but did not notify the authorities, because such incident would be terrible PR for the company. They mostly likely only fired him, as they would do everything to hide it.
There's no reason to change 2FA email if the email was hacked, because hacker would have access to the wallet already. And besides 2FA change takes few weeks.
Also I have 2FA on my email and logs that prove that no one else accessed my email.