Is there a recommended best practice to avoid leaking user info through targeting rules? (ie. this issue) For example, is there a way to setup a targeting group for all emails ending with xxx.com without leaking xxx.com to all clients?

Yep, we have solutions: https://blog.growthbook.io/client-side-feature-flagging/

Ok, so for the specific case I mention only remote evaluation can solve it right?

you can use secure attributes, which makes it hard to figure out - depends how much security you need

Doesn’t my use case require sending the regex to the client? how can the regex be hashed?

secure attributes do not work with regex. If you require advanced string comparisons and security together, then remote evaluation is probably your best bet