Only of used after being spent though right? If you receive many times but don't spend, you're not exposing the public key.

With a Taproot address, you do

Oh really?

I believe you’re right

Here you can see two outputs from the same coinjoin. Both addresses received just a single transaction and there has not been a spend. The Segwit bc1q shows just the 20 byte -hash- in scriptpubkey while the Taproot bc1p shows the -actual- 32 byte pubkey