Yes you are right but let me give you a scenario for better clarification.

1. A victim creates an account on xyz.com with email abc@mail.com
2. He/She forget the password and sends the reset link to abc@mail.com
3. Now he/she doesn’t use it because he/she can recall the password
4. He/She logs in and change the email from abc@mail.com to hello@mail.com
5. Now any how an attacker gets access to abc@mail.com and use that password link to compromise the account created by victim on xyz.com

In the above scenario of yours it is only possible if the attacker gets access to hello@mail.com and not to abc.mail.com

Thank You :)

Andrew Beaven