Why would they allow an account with multiple email addresses to login with the non SSO one? In your case you aren’t malicious but there could be used maliciously
- add your person email
- get fired and login with that email and now have all the data
I would argue that the "right" course of action is to immediately require human intervention when an SSO email is added to an account (or an existing account with an email address, such as a startup "going big league", becomes SSO managed), so that account ownership issues are resolved at that point in time by the parties with ownership interest, not Atlassian having to do so.
The ownership of data is attached to the email. As soon as i left my workplace, none of the data created under my company account was visible to me. On top of that, they launched SSO support lately. It was not SSO when I connected my accounts years back.
