There's a couple avenues besides just stealing what's in your URL bar.
If you don't use wildcard certs all of your subdomains can be scraped from the certificate transparency logs. Additionally, any domain+cert using HSTS with preload enabled end up in a big list at Google to speed up the initial connection from browser to site.
> HSTS with preload enabled end up in a big list at Google to speed up the initial connection from browser to site.
HSTS preload is not for speed. It's to protect against SSL stripping on first connection. Modern browsers already try port 443 first or in parallel with 80.
CT logs just explain how they found the domain. T doesn't explain how they could have found unlinked content on the domain itself. If I put up secret-example.com/asdf-1234567.html, how does that page get found if there are no public links to it?
For hosts, but not pages on the site.
But I think the other explanations take care of pages: cloudflare hints, chrome reporting addresses visited, etc.