The user has authorized PayPal to give money to Facebook. Facebook wasn't authorized by the user themselves to run the ad campaign, but PayPal is doing exactly what it should.

And if the same charges had been made on a Visa card, we wouldn't be having this conversation.

If I have a Visa card saved in the Starbucks app, and somebody uses my Starbucks app, I did not authorize Visa for that transaction. It would be no different than losing the card. If somebody picks up my card and swipes it, "Visa is doing exactly what it should" but also it wasn't an authorized transaction and should be reversed.

I'm not sure. When you give authorization for "all future payments to Starbucks until I tell you otherwise" (which is what you're doing with recurring payments being set up between FB and PP), you're authorizing that payment to Starbucks. You're not authorizing Starbucks to take whatever they want, but that's between you and them, not you and Visa. Visa just happens to be very accommodating and will often pressure the vendor.

Losing your card would have been similar to the OP's PayPal account being hacked.