What is confusing you is that you consider the scalar multiplication (in your notation $x\cdot P$) as multiplication on a Finite field. Actually;
The scalar multiplication on Elliptic curves $[x]P$ actually means adding the $P$ itself $x$-times. This is how a public point is calculated, from a private key, the former is a point on the curve the latter is an integer. More formally;
let $x \in \mathbb{N}\backslash\{ 0\}$
\begin{align}
[x]:& E \to E\\
&P\mapsto [x]P=\underbrace{P+P+\cdots+P}_{\text{$x$ times}}.\end{align}
Here the $P+P =[2]P\;(=2\cdot P)$ means the point addition and has special formulas derived from the tangent-chord rule. With this point addition, for the curve defined over a finite field, the points form a finite abelian group and with the scalar multiplication, we have a $Z$-module.
When we talked about given $[x]P$ and $P$ finding $x$ is the discrete logarithm problem on the Elliptic Curves. On some curves, it is easy, however, on secp256k1 it is not easy and classical attack has a cost of $\mathcal{O}(\sqrt{n}$) while $n = order(P)$ with Pollard's Rho. The best-implemented attack has used a parallel version of Pollard's kangaroo algorithm on $2^{114}$ interval.
Shor's algorithm (if ever implemented for the real size and all the problems are solved) can solve the discrete logarithm in polynomial time. An estimate of the attack can be found here
Actually, one doesn't need the $y$ coordinate for the attack. There can be at most two $y$ values for given $x$ as long as $x$ is the coordinate of point satisfying the curve equation.
Standard ECDSA, on the other hand, some other real issues than Pollard's Rho and Shor's period finding algorithm.
Repeat of the nonce: private key is immediately leaked.
Bias on the random number generator for the nonce, lattice attacks reveals the key. Even tiny bias;
Short random, yes that existed in Bitcoin;
We have a better alternative, deterministic ECDSA by Thomas Pornin and Bitcoin and other started to use.
