For the record, systems at both FB and Google prevent internal employees from doing either. "There's nothing technical preventing any of these kinds of abuses" is only true in the sense that you can imagine implementations that don't prevent these kinds of abuses.
You're claiming that a rogue employee can't take it on themselves to do that on their own initiative. Either of those companies could trivially choose to do those things as a management decision. Maybe it doesn't make good business sense today, but who knows what the business landscape of 2025 or 2030 looks like?
And then my comment would be false. But as it stands today, it's true.
I do think you overestimate how trivial it would be for "management" (who? a senior PM? Sergei? Zuck?) to decide to turn off all internal security controls so individual Googlers could send emails using someone else's identity--it would likely run afoul of multiple current laws and contracts, to speak nothing of the universal, strong internal objections there'd be to that change and the high engineering cost to migrate off those systems. And I can't imagine a business landscape that would encourage any company to let individual employees do that.
There are tons of things to worry about wrt BigTechCos, but preventing and auditing rogue employees are something where their incentives align pretty strongly with the public good.
FWIW I do support stronger legal and privacy requirements (with some caveats, mostly because compliance is very expensive and potentially harmful to smaller companies).
Do they actually prevent malicious abuse, or do they just catch people after the fact and fire them? I know from reading about the NSA that they watch what data agents retrieve, and they're restricted by policy from going snooping, but there's nothing except fear of losing their job that stops them.
Google's servers have the ability to send email from myname@gmail.com and it comes with all the appropriate DKIM signatures to be from "me". They have some kind of auto-reply system such that their computer can automatically send "as me". They're already 90% of the way there: I think you've overestimating how big a change this would be.
I'll also say that I have little to no confidence in "strong internal objections". VW engineers built the emissions-cheating system, Facebook engineers built Beacon, Google engineers dutifully slurped up everyone's private wifi traffic. As long as management dressed it up a little bit and/or reassigned any dissenters, I'm sure they'd get a compliant team to build whatever garbage they wanted.
