If you're curious, the relevant code is here https://github.com/flarum/core/blob/v0.1.0-beta.16/src/User/Command/RegisterUserHandler.php#L125
You can see that all attributes provided by an oauth providers are stored in
$token->user_attributes, then applied on top of whatever was provided in the API request. So whatever you send as
data.attributes.email, it will be overridden with
The email is only shown in the frontend as a visual indication to the user that this is the email that will be assigned to the account.
Some social logins could also provide an email as a suggestion instead of an assignment, in which case it won't be in the
$token->user_attributes and Flarum won't disable the field in the UI.