As per How does recovering the public key from an ECDSA signature work?, it's possible to recover public keys from ECDSA signatures.
Is this possible for EC-Schnorr signatures as well?
I'm looking specifically at https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki as a reference on EC-Schnorr, but it seems to have nothing on pubkey recovery.
Fix a group $E(k)$ on an elliptic curve over a field $k$. Suppose $P \in E(k)$ is a public key. If a signature on a message $m$ under $P$ is the encoding of a pair $(R, s)$ of a point $R \in E(k)$ and an integer $s$ satisfying (various criteria and) the equation $$[s]G = R + [H(R \mathbin\| m)]P,$$ where $G$ is the standard base point, then you can recover $$P' = [H(R \mathbin\| m)^{-1}]([s]G - R),$$ where $H(R \mathbin\| m)^{-1}$ is the inverse in the scalar ring of $E(k)$, if there is an inverse, which is guaranteed if $E(k)$ has prime order like secp256k1. In groups of composite order like edwards25519 or FourQ, $P'$ may not be equal to $P$ but it may serve as equivalent to $P$ for the purposes of signature verification.
However, while that equation is discussed as an option in the BIP-Schnorr document, that's not the option they chose. Rather, they chose a design where a signature is the encoding of a pair $(r, s)$ of a coordinate $r \in k$ and a scalar $s$ satisfying (various criteria and) the equation $$r = x([s]G - [H(r \mathbin\| P \mathbin\| m)]P),$$ somewhat like Ed25519, about which see for a related discussion of key privacy as even further from key recovery. This leaves you with the snag that to compute $H(r \mathbin\| P \mathbin\| m)$ you must know $P$ already, or know some black magic to break the hash $H$.
So no, the signature scheme in the documented you cited does not enable recovery of the public key from signatures.
