> And how does one verify that the public key received belongs to the intended party, rather than a mitm?

Fingerprints. Again, this is like Crypto 101. Not saying that as a personal attack of any kind, I just remain incredulous that what used to be entry level knowledge in “our thing” has evidently become so obscure.