So if person A forwards a group email to person B, and person B clicks on the "unsub" link in the footer of that email, person B should not be able to unsubscribe person A, unless person B also knows person A's login password -- right? That was one of the concerns I had too. Also if person B fakes person A's "from" email address and sends an email to the +unsubscribe address, there is a confirmation email that only goes to person A, so person B should not be able to confirm.
I still am almost 100% clueless what has been going on with the person in my group who gets unsubscribed and resubscribed so many times. So the original question remains unanswered. I THOUGHT he was doing this himself because every entry in the Activity log said "via web", but apparently that is not true at all. My best guess at this point is that there is some sort of interaction going on in emails between Groups.io's servers and the member's email gateway, causing him to be repeatedly unsubscribed and immediately resubscribed with altered delivery settings, without the member lifting a finger. Then Groups.io labels all that activity as "via web" even though it was entirely by email.
I note with some amusement that the link in the message footer to unsubscribe, includes "xyzzy" in the URL!