I've been using SG for several years and on ~10 occasions, one of my (>100) disposable email addresses inexplicably started receiving mass quantities of spam. I've always been quick to finger the website on which I used the (now, compromised) disposable email address -- but several of them seemed, intuitively, very unlikely to have such terrible security as to be leaking my (disposable) email address. One in particular such example was Dropbox, which seemed to have leaked my disposable Dropbox email address because of the spam I started getting soon after registering... and they have reasonably good security.
Today, I read this blog article:
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
Which describes a (fairly) long-standing attack that websites can use against your web browser based password manager. Now, I try to remember to disable the web browser based password manager as I use a separate password manager application, but I'm sure I've accidentally clicked "remember this password" or "save this email address" on a few occasions. This article lays out a very compelling explanation of how the email address portion of the items saved in the browser's password manager could be read by a third-party site. And, if you're like me, that email address is very likely to be a SG disposable email address.
So, next time one of your disposable email addresses is compromised and starts receiving a boatload of spam, check to see if it's one of the elements saved in your browser's password manager before jumping (as I did) to the conclusion that the site(s) on which the disposable email addresses was used are responsible for the leak.