No, I know PPA's are just a way of telling apt about a repository.
What I mean is that Debian does not support adding PPA by default island I frankly don't hear of many Debian users doing that. Flatpak/-hub is much more common.
I don't know what to tell you/say, it's a completely supported - and utilized - method for distributing software. For both Debian and Ubuntu. "By default" is completely irrelevant, let me explain.
First, somewhat sarcastically, I can give you that support right here. "echo ... | sudo tee /etc/apt/sources.list.d/...". Go forth and prosper.
Now, more seriously/importantly, this is for distributing user-supplied software. The point I was originally making is that anyone can leverage this, it's not representative of the Distribution. AUR, PPA, COPR (for your RHEL derivative of choice), OBS, whatever. The malware is the responsibility of the user who published it, not the Distribution maintainers.
Aside: I'm deliberately trying use 'distribution' as a proper noun/capitalize where appropriate... in terms of the composite of software we know as Debian or Ubuntu, not an individual release like the 'software-properties-common' package or malware: what started this thread.
Back on topic: this is firmly down the path of customization. The fact that you don't get 'add-apt-repository' for free is, again, irrelevant. PPAs will distribute (heh) Deb packages for either Distribution.
If we're working off anecdotes, I hear about far more Sources [repo] files being made on Debian than Flatpak installations. Now what do we do.