In contrast, there have been other incidents such as the incident of the owner of the Twitter handle @N having one of his domains hijacked by social engineering of GoDaddy support to pivot to control of his Twitter account[1] Since then. GoDaddy has fallen victim to other incidents of this nature[2]. Not advocating the use of GoDaddy, but was just illustrating these as case studies.

GoDaddy isn't alone with this, there have been other attempts at stealing domains with scans of falsified identity documents and similar fraud, as if verifying remote scans of passports from foreign countries is a trivial task[3]

What are some best practices from an OPSEC perspective to mitigate the above risks for higher risk individuals?

Note: Ignoring the issues of client-side cryptography in JavaScript, the fact that their SMTP gateway could be compromised logging plaintext, etcetera, would a hypothetical ProtonMail free account with 2FA enabled and password reset disabled fare well enough against some of the above mentioned attacks? As for the relevance email is used to "bootstrap" digital identities and unless services take further precautions to distrust unauthenticated email there is a fair amount of things that could be done by an attacker who can send and receive email at your address.

[1] https://medium.com/@N/how-i-lost-my-50-000-twitter-username-...

[2] https://krebsonsecurity.com/2020/11/godaddy-employees-used-i...

[3] https://fastmail.blog/historical/when-two-factor-authenticat...