Every time another human being gets sight of my data, I regard it as potentially ‘leaked’. They might be dishonest, or they might just be stupid, but unless I have reason to trust them an awful lot, I have to regard that data as no longer being private.
That applies in particular to credit card numbers and always has done, predating online transactions. Nowadays, I think (?) it even applies to contactless purchases using cards. The merchant or retailer, who I don’t know from Adam, gets to see my card number. Fortunately a card number on its own, absent of security code, is of limited use to fraudsters - otherwise I’d probably not use bank cards at all, online or in the high street.
Not sure how it applies to other contactless payments, such as my Apple watch. That gets assigned its own unique equivalent of a card number, so the retailer never gets to see the number printed on my card, or so I understand. I do use it most often these days.
The only time I experienced an actual worrying problem was a British Airways fiasco a few years back when, through incredible incompetence, they disclosed the card numbers and CVV security codes to fraudsters. On that occasion I did take the precaution of immediately calling the bank to cancel the card, without waiting for the bank to do so themselves, and without waiting to see if it was actually misused.