Feature: Block compromised credentials on password reset / recovery flow.
Description: Currently, with attack protection, we can block the use of compromised credentials when users sign up or when they log in, but this protection doesn’t extend to when a user changes their password via the reset password flow. (Source: Does "Block compromised credentials for new accounts" also block password changes?)
Use-case: It’s better to block early (at password reset time) than later (at login, after setting compromised credentials).