I have. A lot. It's not that hard especially if you have physical access to the mail server. I've hacked the account of a deceased person so that the survivors could get to the deceased's email. (I was the admin at an ISP. It was legal.)
Your arguments are simply that she should have used a better lock and alarm company.
My argument is that too many people, the governor (and apparently you) have a false sense of security about third-party email systems. They aren't secure. They've never been secure.
Any email stored on a server is accessible by the people that have access to that server. End of story.
Even if it's encrypted it can still be deleted. That's called a Denial of Service attack.
So, yes, she's just like 90% of the Internet using public that assume that things are just peachy. Too many people trust the big webmail providers. They haven't earned that trust. In fact, they've shown many times that they aren't worthy of trust.
If you can't run your own server, use a server that someone you trust owns. That might be a friend, or a neighbor or a local ISP. They tend to be a little more careful since people can show up with pitchforks if they screw up.
The big providers count on the fact that most people don't understand security. So if your account gets hacked, so what? What are you going to do, stop using them? They have millions of other users. They don't care.
“Secure” is a relative term.
Is my house secure when I lock the screen door?
For the record, EVERYTHING I put in writing I do so with the assumption that the one person in the world who hates me and would hurt me any way they can will be able to get to it.
Everything.
I don’t care all that much about internet security.