I guess maybe there are two issues, then, when thinking about if data breach is relevant.
With regard to the spam emails,
• my concern would be for those who are not savvy enough to be suspicious enough NOT to follow any embedded links in a spam email. First rule to follow: check on suspicious email by not clicking any links in an email, but follow up by logging into any relevant account to review it for problems.
• It does seem problematic that spam PMs don't necessarily involve hacked data mining for emails. Since these spam PMS originate within the community membership. I don't know how that can be mitigated other than suspending accounts held by spammers.
Regarding the possibility of breaches, per se, I would advise anyone to use a layer of security such as paypal for any payment methods registered with a member account. That way, I think, personal credit card data would not be vulnerable.
By the way, I don't actually remember formally registering a "payment" method" that exists in my Roku account, I think what is there is only based upon the payment method I used when I purchased the device. hmm