This was exactly what occurred to me. I haven't read the spec, but I presume they want to display AMP content pre-click.
As you pointed out, that violates user's expectations about what security vulnerabilities they are initiating when they open an email. Indeed, even lay users may sense that it just feels "wrong" for an email to act dynamically without anything being clicked.
As you pointed out, that violates user's expectations about what security vulnerabilities they are initiating when they open an email. Indeed, even lay users may sense that it just feels "wrong" for an email to act dynamically without anything being clicked.