If anything the opposite is true. You sign up for an email address and own that account. If the account is attacked then the consequences can be significant. Attack a mailbox just right and the user can lose access to it permanently.
IPs are allocated to you from a pool and your last IP will change as you move between devices and networks - home/school/work/cell connection and coffee shop for example.
I would be much more concerned about who you allow to see your users data, than their ability to unmask an IP address.
Location… rarely and it is almost never accurate. Yes I know I’m living in small country and in bigger countries where an ISP can be even town related, plus domestic roaming can be sometimes problematic, the situation can be slightly different, but I doubt anywhere you can be pinpointed accurate. Here in Finland, EU my location is always at least 100 km off.
That is true in Europe and IP didn’t show my location accurate in London (well… that is still part of Europe, sorry ), New York or Los Angeles.
Other sensitive info? There is not any.
And still… an admin can find out your IP really easily even when it is not shown on side of Discourse.
From my point of view whole IP is just noise, and the biggest single reason why admins are struggling with error 429 — because so many are sharing same IP.