> That said I've caught and blacklisted quite a few bad actors this way

same! A long time ago I registered an adobe account with the email "<username>+fsck_adobe@gmail.com"

Adobe then got hacked and their account database leaked. Later I got a personalized spam email for a dating site sent to the same +fsck_adobe@gmail email. I complained, and they claimed innocence, saying they got the email from some sort of contact lead service. I then got in touch with that contact lead service's CEO, and of course he had "no idea" how that email got in there. I'm sure they knew very well how it got in there, and after I reported it, they just removed everything after a "+" on @gmail.com emails...