You can register a recovery key which allows overriding the signing key. This allows users to move from an adversarial PDS. I do think Bluesky should push for more users to add a recovery key, but I also understand why they haven't.
Moderation tools arent limited to specific PDS's, labels are public. If an account has received many reports it will have been labelled by Bluesky's moderation account and other independent labellers. A PDS can check against these before allowing an account to migrate if they choose to. I'm not sure any are currently doing this, but this is something that can absolutely be improved in current implementations, not an inherent limitation of the architecture.
How to adversarial migrate: https://www.da.vidbuchanan.co.uk/blog/adversarial-pds-migrat...
*requires your own PLC key, which the vast majority of users do not have, protonmail has good prior art here (imo)
Yeah, I think Bluesky should put more effort in getting users to create their own PLC key. It's trivial for someone who knows about it to do it, but of course the average user has no idea what atproto is. They need to explain it in a user-friendly way and have a simple tool to do it.
I'm not aware of what Proton does here, I'll look into that.
When you create a proton account, they create a recovery file for you and have copy about the importance and relevance at that point in onboarding. In other words, users shouldn't have to create their own PLC key, it should be created and downloaded on device automatically. I immediately thought "this is what bluesky should have done" when that happened (proton is recent for me), because this PLC key thing always comes up.