I kinda wanted to make a larger point on how even if someone logs in to your service you don't know who you are talking with and might be going against wishes of owners of the account which would be unethical if you haven't priorly obtained their informed consent to do so.

Here are scenarios under which third parties might try to unethically obtain access to your user's data, perhaps as you described by logging in or via some other means:

1) PC gets hacked and owner loses control over their email. It's easy for a hacker to replace password and log in. You can't blame user for shity state of this industry when it comes to security. You are talking to a hacker.

2) SIM card is cloned via social engineering and passwords changed if email is improperly secured. You are talking to a hacker.

3) People share computers. Persistently logging out from websites on spouse's computer seems shifty. You are talking with a family member.

4) Not all people agree or understand that for some services people shouldn't share accounts. You can't know which pieces of data belong to whom so you can't give it out. It's also unreasonable to demand from all services to require each account to be used by only one person just for the sake of GDPR to be workable. You are talking only to one user.

5) People trade accounts. It's unethical to give data to a new owner if previous owner wasn't aware of what data you store. You are talking only to the newest owner.

6) People can be forced to sign in to their accounts. You are talking with an abuser.

In all these cases I think it isn't ethical to reveal data that couldn't already be accessed by normal means. It seems to me that GDPR, ironically, weakens users' privacy.