When my kids were young, I set them up with two emails addresses: one for emailing friends, the other for emailing businesses. The assumption was this would protect their personal friend emails from spam. The reality was by the time they were older teens almost all the spam they received came in on their personal friend emails and almost none of it came on their commercial-use addresses.
My assessment was businesses were not stupid enough to sell email addresses (they knew they'd be reamed for it if word got out) but just enough of their friends' machines had sketchy browser plugins, malicious android apps, back-doored aimbot cheats, and etc harvesting contact addresses and sending the data back to spammers.
> their friends' machines had malicious android apps harvesting contact addresses
Basically the majority of apps in the Play Store have permissions to see the contacts, then they vacuum up the whole address book and sell it to companies doing correlation with data from other services—and pretty much compiling giant stores of identifying info and contacts. I guess it's a given that tons of that info also falls into spammers' hands, and since almost no one in the public ever heard of these particular companies, they face zero consequences for what they're doing.
Could you set up a separate app for contacts (and other stuff that you want to isolate) that others cannot see, in order to prevent it?
Dunno what to do about messengers and such, which integrate with the contact system to show their correspondents in e.g. the ‘share’ menu. Not sure if these contacts are available to other apps—but if they are, it seems impossible to hide them.
Also there's e.g. a plugin for the (non open-source) Xposed ‘framework’, to feed fake data to apps that want to access the location and other such info. Seems to be able to fake the contacts, too, but afaiu requires a rooted phone: https://github.com/M66B/XPrivacyLua