I do aliases as well. Never enough. A battle-tested spammer would run s/+[^@]*// on the address before sending.

I have my own domain and just do <website-name>@mydomain.com and redirect everything to the same inbox sorted in folders.

Works pretty well, if any of those addresses gets into some spam list I just block it (hasn't happened yet, though)

Catch-all (*) setup is the best, until a spammer hits a gibberish localpart (on purpose) and your domain cheerfully accepts it.

Don't get me wrong, I use catch-all too (don't tell spammers).

I whitelist using regular expressions (specific prefixes mostly). Gibberish and random localparts are unlikely to match those, it effectively never happens.

Using passmail aliases through protonmail has worked well for me, that way my domain isn't exposed. And everything forwards to one inbox.

Subaddressing != aliasing.

Aliasing !== masked email

Agreed, there are also ways to employ aliases which won't prevent spam, but this still doesn't explain the relation to the subaddressing regex or why other ways or employing aliases (e.g. masking) are never enough.