It's the problem of Facebook and PayPal that they have inadequate protections and blame the users for that.
I think the issue is of allowing a payment to go through without triggering any security checks.
Probably some basic checks should also be done whether a company publishing an app actually exist.
I wouldn't blame PayPal as much, this is on Facebook in my opinion. Recurring payments are a good thing, we don't want constant re-authorization when the relationship has been established.
Facebook on the other hand should have handled it differently. I don't know how their permission screen for app authorization looks, but I guess it should have a huge red warning sign if it includes a permission to allow the app to spend your money.
The problem is that people are now trained to click popup windows without reading the contents, just to make them go away thanks to brilliant GDPR and cookie law. I am not sure if a huge red warning sign would have helped. People are blind to these things.
