The account recovery on its own only affects the owner authority, all other authorities are not touched. In the Request_account_recovery operation, you can specify how the new authority should look like, including any account_auths, key_auths, weights and the threshold - see for example here. Changing any lower-priviledged keys is then possible from the new owner authority.