I'd rather Meta just clearly stated if they require domain ownership verification when spoofing links. Lack of this (or similarly effective) protection mechanism enables automated link fraud.
Reminder for adtech company employees in this thread: If you suspect a crime has taken place (e.g. if you have seen internal documentation showing that potential profit outweighed the security benefit of actually enforcing a policy), you can blow the whistle to regulators.
