In we ensured that the provided email address was the user's primary address and not one of the others. The same applies to the verified user record. Currently the ValidatedEmailClaimProvider simply picks the first email from the list to return but we should take care to make sure that the address is the primary email address (at the time the verification record was created).
One way to do this would be to add a new field to VerificationSubmission which is the notificationEmail address and to return that value when asked for the user's validated email.