I wish I knew more about how one would stop instances full of malicious spam bots from flooding the services, but as for DMs, my understanding is the fact that everything is public through the AT protocol is probably why it doesn't yet have DMs (though maybe through public key crypto, one could have something). Maybe in the future, BlueSky will allow for messaging by tying accounts to some messaging protocol or services.
IIUC the main defense is choice over your own feed + moderators on the feed you choose.
Is this why DMs are not supported? Because there wouldn't be a good spam protection mechanism?