> how can someone take a multihash and get my public key out of it

If you're using an ed25519 key with the identity multihash you can just pull it out. With RSA + SHA256 multihash you'd be out of luck since there's no way to reverse the hash function.

> my understanding that CIDs were the end result of using multiformats together

idk if I'd phrase it quite like that, but there are convenient CID tools to utilize many of the different multiformats (i.e. multibase, multihash, and multicodec)