The emails I got were emails asking me to confirm a purchase. For some websites, signing up is a multistep process, in that your account is not fully created until you confirm your email and create a password. My guess is that is the case for Surf Shark. Who ever entered my email had to confirm a purchase, but since they entered the wrong address, they couldn’t.
Is it possible that this is because of a non FOSS keyboard like GBoard?
From what I have read, the keyboard can log strokes, mostly for advertising purposes in data collection, and sell them after piecing together various aspects of the identity they associate through bits and pieces of your interactions with their software. Please correct me if I am wrong.
That is a very far-fetched and highly unlikely theory, IMO. But yes, the dangers of using GBoard are real. That’s why I stopped using GBoard years ago. The keyboard app I use is AnySoft Keyboard, which is open sourced.