Because for the average user it is still significantly easier to download some app to use in combination with a password they have a mnemonic for rather than having to figure out their own system for storing and retrieving long tokens in a reliable way. Also, most users are not obsessively clearing out their cache, so device recognition based password flows work seamlessly a lot of the time.
Average users are also unlikely to enter passwords often enough for them to remember or develop mnemonics. For them forgot password emails are the defacto login method.
The system they will choose will be to get a new token by logining in with their email.
It will effectively be the same as those places that send you a login email after you have entered your password for security or harrashment (looking at you, Zoom).
