Those two laws are, actually, my personal bullet against virtually everything I don't like happening to my own computer -as well as those owned by others (though that is not within my responsibility)-.

I feel like you missed the point though. There's no obvious question to the computer user that this is going to happen; ie. there is no consent. Which is important with regards to GDPR.

Next, what happens is the question. Either the security of the computer is breached (which I'll just call "malware" from hereon), or PII is being send (spyware).

Malware seems obvious to me. That's breaching computer security, been illegal for quite a while now. Not worth the discussion though recently the government of The Netherlands made it legal for the police to hack its civilians.

Spyware's legal status seems to have changed since GDPR though. Sure, a lot of spyware is shady, makers of it don't care. But the spyware being bundled with software was done by someone. And in this case, it appears to be within FileZilla's responsibility.

You may not be from EU; I saw FileZilla developers being obviously from the EU and I am from the EU as well. So the GDPR does apply for me, for sure.