Why would they bother?

Because they assume you've set name+spam@gmail.com to be filtered directly to spam, and they can easily evade those filters by removing the ±spam part.

Big companies do this. I have signed up for things using a +filter email address, only to receive the emails from that company that is signed up to get at my plane address, without the +filter part.

Because the overwhelming number of people with “+” in their email address are unlikely to click on spam.

To limit evidence of culpability in the event of a data leak exactly like the one we’re discussing.

Why would the hacker care about that?