I recently reported an issue to Google, which allows an attacker to confirm whether a visitor to a web page is logged in to any one of a list of specific Google accounts (including GSuite accounts). It is possible to check about 1000 email addresses every 25 seconds. Google have confirmed this as working as intended, and not considered a bug.
You can test it out yourself on this demo page.
Firstly, a video of a proof of concept, where I identify an account (myself) against a list of 20 accounts: