Not necessarily. Both my main addresses still come back clean after years in use.

The one I use for random crap has 9 hits though.

In that case he could just store the emails that haven’t been compromised yet.

If we're going to take my obviously unserious suggestion seriously, I'd suggest a bigger problem is that his stack isn't in Python and the code for whether an email is pwned probably isn't remotely structured as a function call like that...

but other than that I'm sure it's a good idea.

Same here