Do not use the same email address for an Application user, as the email address you use for the Bubble Editor Account.
The email addresses of a Bubble Editor Account can be discovered (by design - nothing shocking here). So this means a bad actor can use this to guess a valid application user email who is quite possibly a privileged user in your Bubble app.
It’s a bit complicated to explain but I hope that makes sense.
In simple words - if your Bubble Editor Account is “admin@myapp.io” - then do not make the admin user for your application the same email - a bad actor now can guess 50% of your app admin username and password.
In fact, don’t use any easily guessable emails as the username for your most privileged users. For the most secure access to the app - my best practice is to not allow login from the Web at all, but “run as” from the Editor. “run as”, from the Editor as it means that user has 2 factored authenticated and there is no exposed public username & password login page that permits very privileged user account to login.
Another tip - if you do have app data to worry about - consider this offer 🎉 Offering full Bubble app audits for... $1! @georgecollier does a great job!