Thanks for the suggestions! The latest version of the plugin does implement PIN-based authentication, which would allow you to protect against email addresses getting spoofed.
If an email is received from an address that doesn't match a user on the blog, it will be set to pending so that an administrator can review. Additionally, even if it matches a blog user, that user needs to have "publish_posts" capability (Author, Editor, or Administrator by default), otherwise those posts will also be set as pending.
Since WP admin already includes the ability to manage which users are allowed to create new posts, I'm hesitant to duplicate that functionality within the plugin, but maybe if the UI listed which users do have that capability, with a link to the user management screen so the admin can add/edit them?