isn’t this easy for a potential attacker to mitigate, i.e. dropping from the address everything after the plus? it’s a known trick for gmail so i would not be surprised if an attacker knew how to get to the “real” address by cleaning it up.

Yes, even some attackers I noticed they excluded all custom domains from their dumps to avoid alerting individuals before they sell it. It’s why it’s better to have a fully unique email, preferably masked one (not custom domains) as some email services provider do, so you get the isolation feature but also blending in without going noticed by attackers.