Blockchains are open and permissionless. That means that anyone can send you an NFT without your permission and see what NFTs you own without your permission (see my post on blockchain incentives). Think of email – anyone can send you an email, but the difference is that now anyone can read your inboxes. Adding more complexity to the story, receiving an NFT counts as a taxable event.

Instead of the anti-spam systems that services like Gmail have implemented, blockchains rely on transaction fees. In fact, Bitcoin actually was inspired by an email anti-spam algorithm called Hashcash (1997). That system used proof-of-work (e.g., mining in Bitcoin) to compute a header that was sent alongside the email. Spammers would have to waste many compute cycles to send mass spam.

I don't think this is an unfixable flaw in blockchain systems but something that will inevitably be fixed. It might be done on the client-side (you receive them but don't see them). It might be done in the protocol (encrypted NFTs or some mechanism to "receive" them). It might even be done at a new layer of centralization (centralized anti-spam custodial services or infrastructure).

My guess is that Occam's razor applies – the solution that requires the fewest moving parts will win. How soon this becomes a real problem (and how soon these decentralized protocols can respond), I'm not sure.