1. You're comparing Persona to an imaginary world where most websites don't rely on email providers to prove authentication. I'm comparing Persona with the actual situation where people use the same password everywhere. Persona isn't perfect, but it is much better than what the vast majority of websites use, and it allows even better methods to be implemented where needed. Furthermore, Persona is more usable, and therefore more attractive and more likely to be deployed widely.

2. Yes, it can. It can delete password reset notifications. If the notification contained the password in plain text, then there would be no easy way to find out whether Gmail logged in to your account on X. If the notification contained a password reset link, there is a possibility that the user would subsequently discover that their password was no longer accepted on X. But given that most users use the same password everywhere, Gmail already has a huge potential for evil, as it could just use the passwords it has already collected. Users that worry about Gmail can use an alternative email provider or their own, after all, email and Persona are both decentralised. Website developers that worry about Gmail can use other authentication methods on top of Persona, such as in-house two-factor authentication.

tldr; if Gmail is evil, both Persona and current systems can't stop it. If that worries you, use your own email server, and use other authentication methods on top of Persona on your websites.