Yes and no. Admin accounts often remain logged in as a practical matter. They can’t see incoming reports, registration applications, etc. if the account isn’t logged in. And there is no “middle tier”/sitemod or customizable permissions allowing for anything between community mod and instance admin that would mitigate the need to use admin accounts day to day.
that wouldn’t have necessarily stopped this attack I don’t think, but yeah, probably a good idea on multiple levels.
If the separate admin window was open, and a tagged reply or PM was sent to the admin account I think that would render the emote in the notification and trigger the exploit