Researcher control is a core ORCID principle, so email addresses registered and added to the ORCID record are set as visible to the record holder only by default. Researchers must choose to set their email address as accessible to everyone (i.e. public) or to trusted parties (i.e. limited access) for the address to be read by third parties.
If the researcher has their email address listed as trusted-party access only, it will be returned with the record if the researcher has granted you read-limited access.
For more information, see ORCID visibility settings.