The emails are sent to thousands or millions of users, specifically targeting Norton users, Having a single email account isn't a bad idea, but there are still crooks selling email accounts, and these people are working directly with someone who has access to Google's mail database; nowadays, everything is tradeable. The best safeguard is to recognize which emails are real and which are not.
The weakest link in the whole chain is of course always a man, whether it is a malicious employee or a bad programmer who left room for a hacker to break into the system. Given the size of Google and the number of employees, it's hard to believe that everyone is honest - so I don't trust their services too much (although I use them), but for extremely sensitive things I recommend an email from Proton which is free and encrypted, based in Switzerland.
However, the worst option is to use only one e-mail account for all services, because if someone happens to hack it - it becomes a real nightmare, the hacker takes over everything related to that account.