I don't understand. What combination of actions and app features allowed the scammer to send an email that is indicated to be from google's domain?

That's the big question. I've heard attackers have used Google's own tools like Google forms or Google cloud to send the email through Google's servers so it wasn't flagged. This is a major vulnerability that Google needs to fix. I'm quitting Google because I'm worried about other vulnerabilities like this.