Not if you get a wildcard certificate, then the CT logs only show *.example.com. The bad guys also can’t get subdomains from the DNS server without breaking into it because nowadays DNS servers don’t do public zone transfer.

You can also use a wildcard CNAME on the DNS too, just to be extra safe. That way the subdomain names only live in your reverse proxy and on your devices, effectively acting as an additional auth factor (see below though). But it only works if you don’t need to define any explicit subdomain; typically clashes with email stuff because a CNAME on *.example.com won’t allow you to also have MX on *.example.com or TXT on _dmarc.example.com.

It’s true that subdomains are not a super secret auth factor right now because of SNI (Server Name Indication) which transmits them in clear outside TLS connections, so that reverse proxies can do host-based routing. So the subdomain can be intercepted anywhere on routers, by ISP etc. It will also be freely given away to any DNS server you use to resolve them (but you can mitigate that by using DoH or DoT with a privacy-pledged DNS server). You also can’t afford to share links to your subdomain with anybody so it’s best kept for services used only by a select number of trusted people.

The SNI issue is being worked on btw, we now have Encrypted Hello (ECH) which uses DoH keys to encrypt the domain name outside TLS, but ECH is still being adopted.