ok thinking about this more, i guess a sudo-type high friction UI method may be the way to go, since that setting is “insecure” for the edit window and not all admins have access to the rails console (thinking hosted sites for example).
perhaps something like when an admin tries to save the new email, a modal dialog should appear forcing them to re-enter their own password to confirm the action (or a 2FA Challenge if enabled). it goes without saying this action must be recorded in the staff logs in detail. i think a mandatory user verification is still required somehow to give a legitimate user a chance to report an account takeover, and a notification should also be sent to the new email address confirming the change? 
i’m am just very against the idea of admin just being able to change email addresses at the request of users. there has to be some layer of friction or complexity with verification.