It's just a DoS attack. If valid PGP pubkey is added to account, the account recovery email becomes useless because it's encrypted gibberish that cannot be deciphered unless you have PGP private key.
Not sure, I don't use Facebook. I suppose that if you have access to the account and are able to associate PGP, you might as well change the recovery email address too if hacker doesn't already have a way to read it.
A new key can (should) be activated only if a user can confirm that they can read messages encrypted with this key sent to a configured account recovery email.