> Don't register your domain or DNS with Google Domains / GCP if you host your email with Google Workspace... since if you get locked out of the Google account you could be unable to update your DNS.

This seems like a potential rabbit hole.

Use a different domain with your registrar than the domain you’re registering. Same thing with DNS host. Do you have two domains with two registrars and two DNS hosts? Presumably if either one gets compromised, the control of one domain could be used to gain control of the other. And you’ve quadrupled your attack surface by having two domains with two registrars and two DNS providers.

I don’t disagree with you, but I also don’t know a robust solution for this (happy to hear one, if you have it).