> facebook could have noticed that the primary email for the user was for an expired domain, and proactively notified them to remove it.

Or just wait at least a week before emailing a password reset PIN to secondary email addresses. I reported this exact vulnerability 4 years ago:

https://news.ycombinator.com/item?id=17835127