It is hard to disagree with this approach. While I still use WiFi, it is a separate subnet and only whitelisted MACs are allowed to use it. Cameras and microphones are always unplugged when not in use, and my phone runs GrapheneOS. I also removed the hands-free microphone in my car, as well as the cellular modem.
Is MAC whitelisting anything but security theater? Isn't it trivial to determine a valid client MAC then spoof it?
What makes you say that? It does not seem trivial at all to guess a valid MAC.
It's not just a guess.
Any decent sniffer (e.g. airsnort) can immediately identify all associations between all WiFi/Bluetooth devices. DD-WRT (router firmware/OS) has this WiFi-associations detector built-in ("local WiFi map"). There is no need to attempt any sort of hack — associations are publicly-broadcast information.
Then, just pick any authorized MAC and duplicate as your own.
The MAC addresses of all the Wi-Fi clients are broadcasted in plain radio format all over the 2.4GHz. It is trivial.
It's in managmenet frames that you can sniff.
Does wpa3 pmf fix this particular issue?
This isn't considered "broken" — it's part of how WiFi works/associates.