If his address would be outside of the gap limit, which basically just means that electrum didn't derive that key pair yet and didn't query the server for its balance, there wouldn't be any outgoing transaction with the exact (complete) amount he had in his wallet (and still should have it nothing was stolen).
This is even less likely, since there is an outgoing transaction.
Either he has a non-2FA wallet and somehow his mnemonic code and/or computer got compromised or he had a 2FA wallet and his mnemonic code or computer together with 2FA device/backup got compromised.
Without any outgoing transaction sending all his balance away (which he seems to not have initialized), both options might be a valid possibility. However, in this case, that's rather unlikely.
Well, I have put them out as the "conceivable reasons" because there has been "many a peck of salt eaten since that time" of 2018 mentioned by OP. So him might be forgotten what he was really doing. That is why any possible cause has to be checked. Anyway, I think, your clarification will meet his appreciation.