You’re indeed correct.
Although the hidden email feature on iCloud can be used for good intentions, scammers can easily abuse it as it’s technically available to anybody who has payed for the subscription.
However, the same case goes for other hidden email tools, such as Firefox Relay (I made a post on it before), and several other sites.
Personally, I don’t think it’s worth blocking the iCloud domain, as it’s unlikely scammers will chose to use it in the first place because it’s a payed feature, compared to free email hiding tools on the internet. Apple has also invested a lot into the security of iCloud, which makes it even less likely for scammers to consider iClould email address hiding as their first choices.