Yes, with controlled permissions the user can clearly decide about. Nothing gives you full access over an account.

This is like disabling MFA and giving you my google username and password. Actually it's worse than that because Google would probably ask me for an email verification code. Try adding this to a phishing/social engineering framework, they will be impressed.