Iām not saying this is good security hygiene, but not necessarily everyone with access to the file will also have access to the password in the email.
e.g. someone downloaded the password protected zip on a public computer, logged out of their email, but forgot to delete the file.
This is often a useful practice, because it prevents providers' badly-written/-configured attempts at antimalware from blocking files that the recipient knows they want to accept.
(I see it all the time. Along with the password in the very same email)