Ignoring the backup email case as the other commentor left. In practice accounts are not immediately compromised so there is enough time to send a reset to the original user.
You could also do things like having the reset require the user to have a token that was issued before the compromise to prove you were able to authenticate before the leak happened.
You could also do things like having the reset require the user to have a token that was issued before the compromise to prove you were able to authenticate before the leak happened.