Sometimes customer support staff bring up "oh, do you work at <company> too"? I just tell them that I created an email address just for their company, in case they spam me.
Aside from issues such as the business entity (sometimes silently) prohibiting their name in my email address, I have sometimes encountered cases where part of the email validation process checks to see if the email server is a catchall, and rejects the email address if it is. It takes a little extra effort on my part to make a new alias, but sometimes it's required.
Lots of organizations (such as PoS system providers) will associate an email I provided with credit card number, and when I use the card at a completely different place, they'll automatically populate my email with the (totally unrelated) one that they have. Same goes for telephone numbers.
I've had many incidents similar to the author. More often than not, it's a rouge employee or a compromised computer, but sometimes it is as nefarious as the author's story.
I will also not hold my breath waiting for the legally required breach notification they are supposed to send.
Oh boy, I had many of these conversations and especially non technical people never grasp the concept, I had some cases where they demanded to change it and use a “real email like gmail!!”, one time I bought shoes and the store guy asked me the email to signup for whatever, so I read the shoe’s name and added the custom domain, gave me the the look as if I am bullshitting him. Another at a government connected agency and she thought “I work there because I have the agency email” despite it is the alias not the domain.
But similar to OP, few times I found the service is leaking my email, or they got compromised who knew.
As well as simply attributing leaks, it’s most valuable as a phishing filter. Why would my bank ever email an address I only used to trial dog food delivery?
Many years ago, before I started using iCloud Mail, I was running my own email server and had it set up to forward everything sent to any address on my domain to my inbox. The advantage was that I could invent random aliases any time I wanted and didn’t even need to do anything on the server for those emails to get delivered to my main inbox. The very big drawback as I soon experienced was that spammers would email a lot of different email addresses on my domain that never existed but because I was going catch-all, would also get delivered to my main inbox. They’d be all kinds of email addresses like joe@ or sales@ or what have you. So apparently they were guessing common addresses and because I was accepting everything I’d also get tons of spam.
Initial account creation confirmation email, and maybe even some newsletters, were sent from noreply@ some domain. Responding to such an email address directly will likely either bounce or be silently dropped on their side, as indicated by them using noreply as the sender address.
The website might say to email support@ their domain. But because like you point out iCloud alias addresses cannot be used as sender when composing a new message, and I don’t have any past received emails from that address, I can’t email them using the same alias email address that I used to create an account.
And of course if the account belongs to jumping.carrot-1j@icloud.com and I instead send an email to them from a different sender address, then they will be sceptical about whether it really is the account owner trying to get in touch or some impostor. Assuming they don’t completely ignore the email on that grounds, you might eventually get support if you are able to either answer questions from them about past invoice amounts and dates or similar, or if they are willing to email the original account owner address from their support address. But it’s extra hassle, if they even bother to respond at all.
Fortunately most websites have a contact form or similar to get in touch with their support, but there are a few sites that have an email address as the only way to contact their support.
No I'm not trying to hack you.
Which in hindsight is also what a hacker would say. I can't win...
They know their way around IT security! /s
It's always an unpleasant surprise when some company terminates a years-old, active and valid account because of a stupid policy change on their part.
Even if it's a "new" alias, I often see people[1] using simple schemes to derive the address, eg. facebook@mydomain.example. With cheap LLMs it's not hard to automatically guess what the underlying pattern is.
edit:
[1] ie. in this very thread