That's specifically what the leaked information would be used for. Given the sensitive information being leaked, attackers could potentially use the information to craft a more personalised phishing emails for the victims. Even if it isn't, the sensitive information could also be used in SE attacks against companies.
Phishing is phishing, whether targeted or spontaneous.
You can fall for phishing only through your own fault, no matter how clever it is. We have all the tools to check any link or any information that comes to your email.
Fortunately, the data breach is not that severe, only impacting their merchant information. At the same time, I don't think its necessary for Ledger (or any other hardware wallet manufacturer) to keep sensitive information of their customers for long periods of times. I would have expected information to be scrubbed regularly.
Logically yes, but in practice we don't know what Ledger does with our data. Some of the employees may sell the database, or the company's shadow policy itself may correspond to this.
We cannot know this, so it is useful to assume such things. Too many companies sell their customer data to others.