Does it actually matter they had access to everything?

They need emails and transaction history to answer questions for customers having problems. An email is good enough to look up someone’s address and phone number based on all the other leaks online.

I guess we could argue that coinbase could build a system that obfuscates the email from customer support but there’s still a large group of developers and sysadmins and auditors who have access to that information and can be compromised (either the person or their equipment)

It is a breach of Least Privilege, which is a fundamental cybersecurity principle. An egregious error on Coinbase's part. Anyone with even just a Sec+ (i.e., me) knows this.