Because it's Netflix not adhering to the spec, which states that local addresses are to be interpreted by the host only. Netflix has no business caring about how Gmail interprets its local parts.
Well, if Netflix striped the periods, THAT would be not adhering to the spec. Netflix's issue is that they have a lax security practice, not that they don't adhere to the spec.
Gmail does adhere to the spec, which has nothing to do with this bug which is Netflix sending emails without verifying. Email isn't even relevant here. The exact same thing happens with postal mail addresses if something gives your address as theirs.