I don't think it's fair to blame the users. They toggle bluetooth off and think it's off. How are they supposed to know "Bluetooth Off" means "Only some amount of Bluetooth is off"?
And I don't think designing a convincing phishing device is that much of a leap in logic. Bluetooth is off, so maybe the notification is legit from apple and needs authority for a connection?
If you blame the designers who left a backdoor in the bluetooth, then yea that's fair.