It is a bug, not an exploit, for sure it shouldn't be an intended implication of the developer's intent. This also should not be on purpose. Allowing a transaction to be accepted without user consent seriously harms the ecosystem. In the first place, things like this should be considered if they are aware of the current flawed implementation occurrence. Thus it makes no sense if the smart contract developers were allowing this to happen.
Of course they knew, they were the ones who created this backdoor and vulnerability in the first place. Read the code, they made the code that accepts transactions without signature of the owner of the address. Without private keys. Other crypto like BTC or XRP don't have this backdoor.
Honestly, I give the benefit of the doubt to the developers. By mean developer the initial development made by the OpenZeppelin dev, do note that as an ecosystem everyone who comprehends code can see the implication of this flawed code, but, nobody bats an eye until this flaw mechanism is being used by a scammer. The code is also used by another developer, the one who made the smart contract implementation which used the OpenZeppelin library. Though it is indeed concerning when many developers allowed this to happen, I wonder what is their reasoning.