I’m guessing the best approach is the following:
Checking if hasRolesChanged, returning early if that is not the case, and not allowing any other edits on the data if the roles have changed. Would you say that if a user can’t be found with the new email address, it’s say to determine hasEmailChanged? I’m not sure if existing email addresses can ever overlap in a way that would cause false positives with that logic