Ok lemme explain as someone who worked over a decade in the financial/payments industry:
Setting up a secure, easy, online payment system that also complies with the various financial privacy laws around the globe is not easy, or cheap.
The fact DJI is using PayPal, a company who has already invested in meeting those requirements, probably saves DJI, and it's customers, billions of dollars.
Security is obviously top concern for the payments industry, but it goes way beyond what you think. All payments must be encrypted end to end so as not to be hacked. Obviously. But what not many realize is that those laws specify access on the systems in between. Where I worked, lots of time and money was spent ensuring every employee had only the barest of minimum access to information required to do their job. In a company with thousands of employees, this is quite tedious.
For example: do workers need access to the full card number, a partial card number, or just a representation of that number to do work? And each worker with the different access must be able to seamlessly communicate about the same client.
Speaking of communication, privacy of the data is also important. Nobody should be able to fully correlate data if they don't have an absolute need to. And to add to that, each region has different standards. European privacy laws are different from US, which is different from Canada, etc. The reach of these laws is different, too. Maybe US law only applies to purchases in the US, while European law applies to all purchases by Europeans anywhere in the world. Failure to comply may mean the business is banned from operating in Europe. Sorting out these regulations is an expensive nightmare.
Fraud is the biggest cost to the industry, especially international fraud. As a result, much goes into ensuring the card user is the card owner. This is why DJI wants a PayPal account. DJI products for the most part are high-value items, and if a lot of them were purchased by fraud, then payment companies would not allow DJI to use them. Ie: if many people used stolen VISA cards to buy drones, VISA could say to DJI they can't accept VISA. This is because the cost of the fraud is borne by the card company. However, if DJI couldn't demonstrate that it did everything possibly to stop fraud, THEY would bear the cost. So, setting up a PayPal account, which can require verification in a few forms, it helps ensure this needed security. This is another expense that a company would incur to set this up, but PayPal has already done, and it saves DJI money by not footing the cost of stolen products.
So, I hope you can see, using a 3rd party payment company, such as PayPal (which is the most trusted worldwide), is a solid business move. It is much easier and cheaper to get on board their established systems than to try and comply to all standards in a global market.
Oh! Almost forgot the AUDITS!! Security auditors can come by at any time to ensure the systems are secured and that all regulations are being complied with. Failure to do so could mean immediately shutting down the ability to accept card payments until it is resolved. For some businesses, this means closing up shop completely. Why face that risk?
Now as for your "take money any time" statement....no, they can't. Refer to those laws I mentioned. As for the "tracking you" part....LOL!! EVERYONE is tracking you! DJI, PayPal, the credit card you use, the bank you debit from. Not even for advertising sake, or to sell your data. Algorithms are used to determine abnormal payment activity to spot fraud as it happens, to stop theft, and to make sure you aren't on the hook for a purchase you didn't make. Never got a call from your bank asking about a purchase? Then you are lucky!