I've been doing this as well for several years as well. There's a caveat, though: once in a while, you'll encounter a corporate network that is configured to prevent data exfiltration by making sure that emails from the corp and destined for the corp remain in the corp's network (or at least only get sent to allow-listed servers). Now, some of these "solutions" don't check for the domain name of the corp, but for the corp's name, meaning fictitious example avis[@]mydomain.com would match if Avis had such a system.

It took me a long time to diagnose why I wasn't getting any emails from two corps on my corp@mydomain, although disposable email addresses without the corp's name worked fine. It's one of the reasons why I'm now migrating to using unique alphanumerical IDs instead of corp names for my @mydomain addresses.

That's true; this is about 100% effective in preventing automated credential-stuffing attacks. OTOH, it may pique the interest of someone going manually through a list of stolen credentials, so unique passwords are, of course, still required.