The JWT (id_token or access_token) will contain the email_verified claim with a value of true or false, so if you wish to limit privilege based upon this state, that would be a good way to do it.
It sounds like you're looking for a way to pass the timezone of the user into the passwordless call so it is available in the email template. I agree that the current timezone is more useful than the possibly stale value in the user profile.
We validate using RFC 5322 which defines the local part as a dot-atom;
“that is, it contains no characters other than atext characters or “.” surrounded by atext characters.
As far as I know the examples given are not valid email addresses. I think the only way you can begin or end an email address with a . is if it is quoted.