I like DuckDuckGo's Email Protection a lot, and I switched from my paid SimpleLogin account to it. DDG is free and unlimited, the aliases are human-readable, and sites rarely block them. The downside is that they're sort of hard to manage in multiple respects, but Qwacky helps a lot with the generation of them. The only way(?) to disable an alias is to receive an email through the address and then click the link at the top. There's also no dashboard to see all your aliases, but I store each DDG email alias in Bitwarden next to the relevant account; that way if I start getting spam from an address I can figure out which account is doing it by searching my vault for it. Creation of an account also requires downloading their extension or their browser I think? You can uninstall it immediately after and manage with Qwacky instead though.

It definitely feels too good to be free considering the competition, but I'd honestly be happy to start paying for it again if they start asking, and I trust DuckDuckGo to not disappear overnight and leave all my accounts fucked. I'm also guessing DDG will eventually implement a better dashboard and management tools, so I'm okay with limping along on an okay UX experience for now given the end results.

Isn't one of the problems with X that applications can log your keystrokes in other applications and record your screen? Obviously you shouldn't be installing compromised software, but who knows if Borderlands 2 now includes some malicious code in its DRM or something.

By default, Wine/Proton has access to your full Linux filesystem under the virtual Z:/ drive from within the Wine environment, so any dedicated adversary could include your Linux stuff into its data collection. The odds of this already occurring are probably low-ish. You can use bubblewrap raw to start sandboxing resources (e.g. blocking network access or masking directories), or there's a project called sandwine which presumably auto-configures the important stuff through bubblewrap (though I've never gotten around to trying it). Wine itself can also be configured to drop the Z:/ drive through its winecfg tool.

Without a dedicated configuration, I'm not sure Wine has any real priority or guarantee about sandboxing your original system from Windows executables, which is also why it's important to remember that Windows malware can still do damage when running on a Linux system. The malware doesn't really even have to be aware that it's running in Wine if it just tries to encrypt any files it can reach.