Think this would be less of an issue if they provided their fingerprint on their profile. People should never trust downloading a gpg key without verifying their fingerprint