Then what?

Depending on my mood and whether the company is local, write a complaint to the company that leaked the address or to an appropriate government institution. In my country, a local computer security news site started a tradition of telling the offending companies that they can either apologize and donate some money to a charity (and send back the proof of payment), or you'll bring the issue up with Personal Data Protection Office, which will be more than happy to fine them.

I usually go for <company>@example.com where <company> is the company I’m handing my address to. After a breach I route that address to /dev/null

That's trivially easy to guess -- and game.

You want something that is sufficiently random that it can't be easily guessed or gamed, but can be quickly and easily determined on your side.

Salted cryptographic hashes might be a good place to start.

Most spammers won't go through the of "gaming" it. There's no upside. There are far easier targets to focus on than sending more mail to a single recipient who is more sophisticated.

After a breach of <company>@example.com, forward it to support@<company.com>.

Don’t give me ideas.

If you live in Europe, you might have a case.