Can I use my Apple ID with a different password from what I use for iCloud

Recently, after making a purchase with a retailer, my iCloud mail suddenly began receiving about a dozen different (but similarly formatted) phishing messages daily. The obviously bogus sender's domain would change every day or so, but the username portion of the sender's email address would be the same as a known enterprise; e.g., Fedex@minayoussef.com, but the "return path" field in the headers would be empty.

Initially, my concern was triggered because the first of the bogus messages was allegedly from FedEx, and FedEx was in fact shipping the purchased article to me (the REAL shipping announcement with tracking number preceded the bogus message by mere minutes.

Other members of an email discussion group I belong to reassured me that they'd never done business with the same retailer, yet they had received exactly the same type of spam, so it seemed unlikely that my email address (or even worse, email address AND password) had been captured by a malicious attack on either FedEx or the retailer. but the episode heightened my concern about email security. For example, I'm curious about Apple's iCloud ecosystem's use of the SAME user address and password for iCloud Mail (that user ID of course faces the internet quite publicly every time it's used) and for the iCloud services with Apple such as file storage and sharing, hardware and software purchases, customer support, and subscriptions.

Is that not a risk elevator? Would it not be better for Apple to have its customers use a DIFFERENT password for email from what is used for all those other services. Of course that would require users logged in to iCloud for other purposes enter new credentials to use Apple's iCloud webmail interface, but that commonality seems to be a weak point in the architecture of Apple's user authentication. The dangers are lessened by 2fa, of course, but not eliminated.

Thanks so much for thoughts from others.