I think that’s a pretty unsympathetic take. Hindsight is 2020 but there are factors outside the author’s control (synced MFA, Gmail not detecting the spoofed address)

Cloud sync is not out of one's control, and complaining that Gmail did not automatically detect the spoofed address is an inversion of assumption. It's like dropping your icecream and then being mad nobody caught it for you.

Is the average user (someone who "works in tech" even!) really so uninvolved in their own security? Are they not expected to hold any responsibility whatsoever?