Email aliases are most certainly a security measure, just not in the way they are talking about it. When a company gets popped or they sell my email address I know who did it. I can inform them, block them, tell others about them. The alias or canary should not have the company's name in it as they have caught on to this and call it "fraud" when in fact they are trying to stop people from exposing their ineptitude and malevolence. As an example, the Tractor Supply Store deleted my $500 gift card because I had their name in my alias. I had no recourse other than to tell people about it. I spent hours on the phone with their support and at a point they were just laughing at me and making jokes about my situation. So yeah, aliases are most certainly a security measure, just not necessarily in the way some may think about it. Just keep the aliases or canaries vague but realistic looking. When a company abuses your email address, tell the world about it. This is both a security and privacy issue.
As for account security one should use MFA. I take it a step further and keep some domains on self hosted servers so I can quickly swing DNS to my own self hosted stack if the commercial provider gets completely taken over or shut down or can not remediate an issue. The servers are already configured to accept mail for the domains currently pointed at the commercial provider and given I do not keep any emails on the server I might lose some spam or one email from a vendor and that's fine for me.
Another security measure is for the main account login name to use a really long name that looks almost like a long random'ish username in addition to having a long complex password and MFA. Everyone is just copy/pasting from their password manager, right? If a potential attacker knows my email address is anon@some.tld, brute forcing that will do nothing if that is just an alias. My long ridiculous actual login name is a proper form of security through obscurity that their brute forcing tool will never try. I will not try to deprogram peoples binary thinking of security through obscurity as it pertains to alert fatigue and brute force. It absolutely works. People can bang away at my alias for aeons a.k.a. pounding sand. For my self hosted domains I have a fake web portal for bots to bang away on.
As for account security one should use MFA. I take it a step further and keep some domains on self hosted servers so I can quickly swing DNS to my own self hosted stack if the commercial provider gets completely taken over or shut down or can not remediate an issue. The servers are already configured to accept mail for the domains currently pointed at the commercial provider and given I do not keep any emails on the server I might lose some spam or one email from a vendor and that's fine for me.
Another security measure is for the main account login name to use a really long name that looks almost like a long random'ish username in addition to having a long complex password and MFA. Everyone is just copy/pasting from their password manager, right? If a potential attacker knows my email address is anon@some.tld, brute forcing that will do nothing if that is just an alias. My long ridiculous actual login name is a proper form of security through obscurity that their brute forcing tool will never try. I will not try to deprogram peoples binary thinking of security through obscurity as it pertains to alert fatigue and brute force. It absolutely works. People can bang away at my alias for aeons a.k.a. pounding sand. For my self hosted domains I have a fake web portal for bots to bang away on.