I'm amazed at what Google was okay with. For a while there, if you had access to Chrome's files, for a user logged in with Chrome that had a credit card on file with Google, you could initiate a Google Pay payment with no further authorization.
They also used to let anyone add any gmail address to a Google Groups group, and send out unfilterable spam as a message from that group.
They still do, I use add-anyone all the time. The trick is that they implemented serious anti-spam on groups, which them allows them to keep this feature. It's of course not perfect but good enough.