Probably not, but...
Unicode's complexity (the BOM, UCS-2, UTF-16, UTF-8, and UTF-7 are bad enough, but then you've got combining diacritics, zero-width spaces, overlong encodings, right-to-left switching) means that there are going to be far more bugs associated with it than with ASCII.
When it comes to a web browser displaying Unicode text, the risk is very small. You pass Unicode text to a Unicode renderer that was written by people who know Unicode in and out.
It's when Unicode text controls something, like access to a file or the routing of an email, that problems arise. Although decades old, the notorious Microsoft IIS DotDot vulnerability is a great example. This took advantage of an overlong encoding for the /
character, allowing attackers to potentially access any file on the server's hard drive.
In your case, the mail gets routed through a couple of mail servers. If there is a vulnerability in their processing of the email address, the mail server might be compromised—but it's the FROM
address so it shouldn't do much damage. ... That is, unless you reply to the email (or there is some autoresponder), then it becomes a TO
address, which is maybe what the attacker hoped for.
I'm sure such an attack is very rare, and if it happens the emoji would probably look like garbage, but tl;dr Emojis are just Unicode characters and it's extremely unlikely for your device to be compromised by viewing them in a web browser.