PKI specifically means you don't have to rely on secure key transfer.
Encrypt everything, and post your public key on any keyserver you choose. There is very little sensitive information in a public key (though it can tie you socially to another party, in a cryptographically strong manner, for those who are concerned about such things).
But the point is that an out-of-band and secure key transfer isn't required.
However, each party needs to be sure that the identity of the other is who they expect, I.e. that a MitM is not occurring. Sometimes the best way to achieve that is an out-of-band key exchange
And what happens when your keyserver gets hit with NSL to impersonate another party? Is there something to prevent it there as infrastructure or legal?
Please read a fundamental PKI text or FAQ. That isn't a viable threat model.
On the other hand, anyone at any time can create a key with any given name on it. Under PGP, trust is generally imbued through keysigning and trust metrics.
Keys are also cheap: two (or more) parties could create keys (or subkeys) they used exclusively for communications between themselves, if they so chose.
Encrypt everything, and post your public key on any keyserver you choose. There is very little sensitive information in a public key (though it can tie you socially to another party, in a cryptographically strong manner, for those who are concerned about such things).
But the point is that an out-of-band and secure key transfer isn't required.