Accounts with email and password are actually 2/2 multisignature wallets. As such, they're entirely non-custodial.
One key is in-browser and password-encrypted, the other is on a hardware security module (HSM) on our backend. You would need both to control the account - eg sign transactions, messages, etc. But you can send time-locked transactions with only one.
Time-locked transactions can be used to recover the account if you forget the password or if our backend is not available. That is how password reset works e.g. But they also protect from breaches. If your client-side key is compromised and someone tries to attack, you'll be able to see that and recover your account.
More importantly though, accounts with only email address and password can never match hardware wallets in terms of security, so they're more of an 'onboarding' tool. We strongly encourage connecting a hardware wallet later on for added security - you can and should migrate to a seed-based authentication using a hardware wallet once you have more funds. We make this very easy, you can change your authentication in one transaction by adding a signer: