but for me, best practice is store crypto in a "one-way" wallet (only deposits). If I need to send/spend from the wallet, I send the remaining balance to a new "one-way" wallet(deposit only)"
You are referring to
address reuse.
So theoretically the attacker could use the sending address to derive the public key and then from the public key derive the private key.
but why make it easier by exposing the public key by SPENDING FROM the wallet.
I like to use the space travel analogy here, saying it makes it "easier" for the attacker to find your private key by revealing your public key compared to only revealing your pubkey hash is like saying traveling to Uranus (19.2 AU) is easier than traveling to Neptune (30.1 AU, farthest planet from earth). The statement is not wrong but the act remains astronomically difficult that makes both impossible, and will remain impossible in our lifetime (possibly).