Thanks!
I guess I can hook to action:user.email.confirmed for reading the existing email and then replacing it with a hashed version.
However, password reset wouldn't work since it wouldn't find the uid for the (non hashed) email address provided (here).
We can add a hook for preprocessing the email before looking for the uid, but that won't be enough since later the email is sent according to the email field in the db (i.e. not the email provided by the user when asking to reset).
One possible solution is:
Add a hook for preprocessing the email used for getting the uid.
Pass the provided email in params to emailer.send (here) like it's done for welcome and email verification.
And here instead of checking that for the template check if params.email is defined.
Does that make sense?