Technical whitepaper, page 14, footnote 7:
The hash of the address is used as the key. Even though addresses are hashes of the public key, an adversary could create a new account at an address that is a near collision with a real address. While no transactions can be sent from this account because the private key corresponding to its address is unknown, the existence of this near-collision in the tree increases the proof length for the nearby address. Hashing the address before using it as a key reduces the impact of this type of attack.
Does the use of one more hash really make a difference in this regard? An adversary could still brute-force key generation to get an account that would give a key that is a near collision to another account in the map.
To really deter an attacker from generating keys until they get a near collision with a real account, the single round of extra hashing would have to be replaced by a KDF or other form of cost that is configured to be negligible for regular users but costly for an adversary.