I've used <site/company>@domain.com for many many years and never had someone do that.

Spammers simply obtain lists of emails through hacking or purchasing them and then spam them, they don't pick a particular address and modify it.

Spammers who just blast stuff out won't do it, I'm sure.

But as a counterpoint it literally happened to me to me years ago when I used to use name+<service>@exmaple.com. I got cold emails to 'name+paypal' despite never, ever having used that localpart. I've no doubt it was absolutely targetted and not a hit-and-hope spamblast but it was enough of a wake-up call for me to realise it couldn't really be relied on.

I’ve been doing this for years and have never had any problems with it. It is more likely that generic emails will be generated if you have a domain that is also present as a public website on the internet.

Why would they want to spend effort trying to brute-force addresses to show me emails that they already have the ability to sent to me and I didn't generate them any revenue from?

No idea, just pointing out it is such an obvious alg it doesn't really show provenance.

I used similar (well, plus addressing with localpart=name+<service>) a long time ago and once got emails to name+paypal@example.com even though that was a suffix I'd never used. Some enterprising person out there had obviously obtained one or more of my service-specific addresses and was trying to game my attention by changing the identifier to something 'important'. That's when I personally ditched the approach.

"Provenance" might be have been a bit too strong; maybe I should have said "strong signal". It's an additional piece of info that will almost always identify the source, but in the rare exceptions it's not any worse than if I just used a single address for anything.