> Doesn't this subaddress all just resolve to the same account?
Not in OAuth/OIDC compliant identity providers. As one example, I frequently use + email addresses for testing on auth0-secured apps, where I use the + text to tag a role or some other user attribute that identifies what makes the test account special. eg stult+admin-staging@example.com or stult+user-declined-gdpr-prod@example.com. Each plus variant resolves to its own separate account with its own password (which I do in fact manage via a credential manager), without requiring me to set up multiple full email addresses to simulate multiple users with verified email addresses.
Not in OAuth/OIDC compliant identity providers. As one example, I frequently use + email addresses for testing on auth0-secured apps, where I use the + text to tag a role or some other user attribute that identifies what makes the test account special. eg stult+admin-staging@example.com or stult+user-declined-gdpr-prod@example.com. Each plus variant resolves to its own separate account with its own password (which I do in fact manage via a credential manager), without requiring me to set up multiple full email addresses to simulate multiple users with verified email addresses.