Feels more like you've decided and are now trying to find crazy ways to justify it :)
The whole thing about knowing your social creds and logging in also exists if you are already linked, it's a paranoid fantasy scenario far outside of the realm of legitimate. If one is concerned about that they should have 2fa setup on their social accounts anyway.
Yes there is a common case to log in with different accounts, again back to disqus as an example. They started with no social login, I had a disqus account... then they added social logins so I linked up google. I log in so infrequently the next time I hit the site I clicked facebook because I couldn't remember which social one I used... turns out I never logged in with FB there before, but because it was the same email, boom... I was logged into my account.
Now if we run that same scenario in Sitefinity I have logged in without the access I expected, and the devs and admins now have to deal with 2 users with the same email account for no good reason, and what, sync my permissions or something... it's insanity. We're starting this from scratch guys, why not do it the proper way here now the first time.
Also nobody commented on the Auth0 JWT item there above... Auth0 said they are not doing anything fancy or outside of the JWT spec so why would we even need to do anything to support them, it should just work... they are waiting on a response from me, I'd like to provide one if possible.