Password reset also has phishing potential. I do see your point, but if a user doesn’t check domains, I think they can be easily phished through either route.