I've got a few dozen domains, and primarily use two of them for business interactions. One is a catchall, while the other requires me to create explicit email addresses (or aliases).

Aside from issues such as the business entity (sometimes silently) prohibiting their name in my email address, I have sometimes encountered cases where part of the email validation process checks to see if the email server is a catchall, and rejects the email address if it is. It takes a little extra effort on my part to make a new alias, but sometimes it's required.

Lots of organizations (such as PoS system providers) will associate an email I provided with credit card number, and when I use the card at a completely different place, they'll automatically populate my email with the (totally unrelated) one that they have. Same goes for telephone numbers.

I've had many incidents similar to the author. More often than not, it's a rouge employee or a compromised computer, but sometimes it is as nefarious as the author's story.

Wildcard email addresses will subject you to a torrent of spam when spammers try dictionary attacks against your domain. It's better to explicitly create aliases, I built a web UI for Postfix to do this for myself and family (https://GitHub.com/fazalmajid/postmapweb)