I wish I knew more about how one would stop instances full of malicious spam bots from flooding the services, but as for DMs, my understanding is the fact that everything is public through the AT protocol is probably why it doesn't yet have DMs (though maybe through public key crypto, one could have something). Maybe in the future, BlueSky will allow for messaging by tying accounts to some messaging protocol or services.
Apparently, DMs are low priority: https://github.com/bluesky-social/social-app/issues/1114