I've got a few dozen domains, and primarily use two of them for business interactions. One is a catchall, while the other requires me to create explicit email addresses (or aliases).

Aside from issues such as the business entity (sometimes silently) prohibiting their name in my email address, I have sometimes encountered cases where part of the email validation process checks to see if the email server is a catchall, and rejects the email address if it is. It takes a little extra effort on my part to make a new alias, but sometimes it's required.

Lots of organizations (such as PoS system providers) will associate an email I provided with credit card number, and when I use the card at a completely different place, they'll automatically populate my email with the (totally unrelated) one that they have. Same goes for telephone numbers.

I've had many incidents similar to the author. More often than not, it's a rouge employee or a compromised computer, but sometimes it is as nefarious as the author's story.

I am more specific: if I start receiving pornographic spam like I did to the address I gave Dell, I will know they have been hacked.

I will also not hold my breath waiting for the legally required breach notification they are supposed to send.

> up "oh, do you work at <company> too"?

Oh boy, I had many of these conversations and especially non technical people never grasp the concept, I had some cases where they demanded to change it and use a “real email like gmail!!”, one time I bought shoes and the store guy asked me the email to signup for whatever, so I read the shoe’s name and added the custom domain, gave me the the look as if I am bullshitting him. Another at a government connected agency and she thought “I work there because I have the agency email” despite it is the alias not the domain.

But similar to OP, few times I found the service is leaking my email, or they got compromised who knew.