In their Identity docs, Google loudly and repeatedly discourage using the email claim as identification, or as guarantee that someone is a member of the organization.

There may be cases when it's really what you want, but I find it a bit dangerous to have the first and only example of identifying someone by their Google identity use email. Could the example in the README use

claims:
  hd: chainguard.dev

instead?