Well I imagine in most people's cases if they've managed to compromise their email then the game is already won.
Anecdotally, someone got my steam account credentials. I discovered this when they tried to change my password. Fortunately I had Steam's two-factor enabled and got the notification (2-factor is required to change steam account passwords), which alerted me to change my password. They actually tried the account recovery option and I got an email notification about that as well.
So in situations like that such notifications can be quite useful. But yeah, if they've compromised your most critical accounts/devices then YubiKey isn't going to save you. I don't think that's a knock against it.
That was the whole point of my comment. It is up to the vendor and vendors do a horrible job.
> the inevitable "we see you requested an account recovery" email would serve as useful canary
There is nothing useful here. They are allowing you to bypass a secure key with a dumb email confirmation.
Your idea of a 'useful canary' is great; until you get rooted at 5 AM on a Monday morning and that email disappears before you wake up.