Comment by necovek

I read the GP's question as "why" would Google allow that in the first place?

The reason is obvious: because a Google account gets you access to many a Google service without requiring you to open a Gmail account.

However, the question still stands: why does Google allow authentication with a non-Gmail/Workspace account? Yes, it would be confusing since not all Google Accounts would be made the same, but this entire class of security issues would disappear.

So it's the usual UX convenience vs security.

Alternative "fix" that's both convenient and secure is to have every company use Google Apps on their domain ;-)