It's one way to use PGP, and it's not the only way. Almost certainly the most common use of PGP by number of operations per day is verifying RPM and apt signatures, which relies on trusting specific keys delivered through out-of-band means (in practice, mostly previously delivered via HTTPS).

In turn, the subject information in these keys does not matter - either the signing key is trusted, or it's not. There's an ongoing philosophical debate among users of the web of trust about what the subject (name and email) means. Should you sign a key if you see a passport Are you attesting to legal names? If someone works via a pseudonym, how (if at all) should you sign their key? How do you validate the passport? Maybe you should only sign keys for people you actually know, and attest to knowing their identity in a human sense and not to them having legal documents? What about the email field - do you need to verify that they possess the email? How?

The OpenPGP spec includes just enough functionality to encode trust into local keys (and specifies that it should not be exported), but it does not say anything about a web of trust: https://datatracker.ietf.org/doc/html/rfc4880#section-5.2.3....

The argument is that the whole "web of trust" thing never really took off, so you can't rely on it in practice.