Re: The answer is obvious
"Like most here - I also use individual addresses pointed at a catch all address so I can filter out spam / monitor which companies are ignoring my "tick if you do not wish to be contacted by selected 3rd party companies"."
I have two domains specifically for this purpose. It is the only thing they are used for, and usually only receive email, so no individual usernames are set up on my system, other than the domain itself. In the event I want to send an email to a company using these domains, I have to manually type in the email address I am sending from.
"Quite a few years back when I first started doing this - I'd contact the company to tell them that their email list had been compromised [...] however the response was an aggressive, ignorant, buck pass saying they'd never use their mailing lists for 3rd parties, rather than figuring out who's been selling their mailing list to their mates... No good deed goes unpunished!"
Yup. Been there, done that, didn't buy the t-shirt from the spammer.
More than one such address has been compromised. In some cases, while a unique address at one of the domains is used, I know that the "company" is really just a small-fry sole trader, so the chances are their computer has been compromised.
The very first time it happened, though, it was either Experian or Equifax (I can't remember which), the address being one I'd used when I checked my own credit rating* - and when I contacted them about it, the response I got was, as yours: "not us guv, not possible, we're squeaky clean and more secure than a nun's nethers, honest to goodness."
* Always worth doing. Then you get to discover things like you have an alias that you never knew about - which I discovered on my most recent check.