The email address isn't the user identifier. If you don't want email, don't ask for email. When you make the request, you can ask for email and/or full name, or ask for neither if all you want is the opaque token that identifies the user (and the one bit that says whether Apple thinks it's a real person).
That’s great—as long as that token can’t be trivially re-randomized and huge bonus points if that “real person bit” is a thing.
I haven’t investigated Facebook or Google SSO in depth (I always considered it a bit distasteful to participate in making these behemoths more indispensable) but if they offer some useful metadata that allows me to exclude G/FB accounts which are inauthentic or freshly created, I might look into it too.
Re-randomizing the email wouldn't make sense, as it's not the user identifier. It's literally just an email address, unique to the combination of your app and the user. If it could be re-randomized that wouldn't affect your ability to identify the user.
The "real person bit" is a thing. It's the sole bit of information Apple gives for free, which is either that Apple thinks it's "highly likely" that the user is a real person (the bit's absence doesn't mean Apple thinks it's a bot, it just means Apple can't be confident it's a real person, which might simply mean Apple doesn't have enough information to make that call).
