In PGP how can I be sure about the public key?

I was reading about Protonmail’s system and I couldn’t find an anwser to something. In PGP communication is encrypted using assymetric cryptography: public and private keys. If you want to send something securely to a recipient you use they public key of the recipient.

To my understanding: in nowadays internet systems to gain the public key of someone usually you (or the client software) looks for the public key from a keyserver. If so this system prone to MITM attacks, in other words it is a single point of failure.

Am I correct that this is the way public keys are distributed usually?