Apple (like any email provider that conforms to RFC 2822) supports plus addresses as well.
Any illegitimate email collection service already knows to strip out email subaddresses.
If you’re trying to avoid email spam, there’s not much difference in giving someone [email protected] versus just [email protected].
It's become a fairly regular occurrence that any email with + just shows an error saying the email isn't valid. Bad actors can also easily strip it out after
Bad actors can just strip the plus part of the address
Are you implying that plus addresses are part of RFC 2822? Because they aren’t. AFAIK, no RFC documents specify the plus address convention. The RFCs merely specify that, in an email address, whatever is to the left of the @ sign is to be interpreted by the receiving system, and nobody else should make any assumptions about any of it, and certainly never alter it. And also that the + character is one of the many permitted characters to the left of the @ sign in an email address.
The plus address convention is just that, a convention, widely implemented by many email programs and servers, but not required by any standard, nor universally implemented.