without auth, relays can't control access to this information and with clients not being selective by using nip-65 in/outbox lists people basically just aren't using DMs for anything, which is why we keep hearing so much about telegram and simplex
just because people can run honeypot/surveillance relays doesn't mean that serious and honorable people will not strictly respect the privacy and confidentiality of their users' metadata
so long as clients don't handle DMs with more care nostr is gonna suck for DMs and that is a major pain point for adoption