So many questions on this...
It was my understanding that the <30 day old owner key was actually required by base layer consensus to perform recovery.
Also, if someone has stolen your account and changed your keys, doesn't that mean they already know your old memo key? Can't you generate the memo key with the owner key?
I guess I'm still not understanding how the recovery account is unable to steal the account.