I do think it's a tempting use case, but there are precautions that up I would take if I was doing this sort of thing. Off the top of my head:

- Set up a separate inbox just for the agent, with a forwarding rule that passes on most things that land in my Gmail, but omits as many verification token/password reset emails as possible.

- Have the agent alert me when any sensitive emails do make it through, with suggestions on how to update the forwarding rule.