The cognitive overhead is not my objection (and I agree it wouldn't be much). The problem is that most people's personal email isn't primarily about correspondence anymore; it's about interacting with the various services where you have accounts or subscriptions. So your special password-reset email is also the place where you receive your social media notifications (because your social media account doesn't let you set a separate email for notifications and password resets). So now your password-reset email account is just as vulnerable to phishing because it's _not_ just your password-reset email, and there's no way to make it so.