The identify endpoint for OAuth (typically used for logins with Wikipedia as an external identity provider) has separate email and confirmed_email fields, matching User::getEmail() and User::isEmailConfirmed(), so it mirrors the unfortunate design choice of the User class to return the unconfirmed email address, with the developer needing to check a separate field to tell that it is not actually the user's address. I can't think of a scenario where the unconfirmed email would be useful for the OAuth client, OTOH relying on the email for login and not checking whether it's confirmed is an easy mistake to make. We should not set the email unless it's confirmed.
(Wikis with email confirmation disabled should of course be excepted.)