Yes, anyone can share their Join Link with someone else. If they do, then John Smith using the email address email@example.com will show up multiple times in the webinar Attendee list.
It could be that John Smith actually used two computers to connect to the webinar. Maybe he is watching the webinar on his desktop computer, but using a tablet or smart phone for the audio. In this case he would show up twice in the Attendee list.
You could tell folks that they can use that Join Link on only one device. Warn them that if you see two people trying to connect to the webinar with the same credential, then you will kick both out of the webinar.
Of course, there could be a hundred people who just phone in and you would never know it. Those phone-only connections never show up in the Attendee list, but they don't get to see the screen either.
@Faisal1 Chris is right, that join links can be shared and dial-in-only participants go undocumented.
What I would add is that you can pre-screen registrants before approving them, create a webinar password, and restrict the webinar audio to VoIP-only (mic & speakers) for extra security.