Yeah RemoteID is trivial to spoof using an ESP32. Most hobby pilots I know simply don't comply with RemoteID. And bad actors certainly won't purchase a $75 device to add to their drone.
It does become a bit more difficult with consumer grade off the shelf drones because it's built in. Still defeatable by the determined of course.