Your account didn't get hijacked because you didn't set up a phone number or because you didn't read your recovery emails. Your account got hijacked because you reused a password or installed malware, and didn't set up 2FA. There was no "spam vs security" trade-off here.<p>Not setting up the account with sufficient recovery options is responsible only for your inability to recover it, not for the hijack itself.
Isn't this the entire point of GDPR in the EU? To prevent corporations and individuals from using your personal data for any purpose other than for the reason your provided it.<p>Perhaps you should change your strategy? Personally, I use myname+website@gmail.com as then I'll know the source, when I find my email address has been sold to a 3rf party