First off, rua and ruf addresses need to be public, or reporters would be unable to send reports (the R in DMARC) to the correct address.
Next, with any significant volume of mail, you’ll need some kind of automation for handling DMARC aggregate reports (rua), e.g. the service provided by DMARCIAN. As aggregate reports are rarely handled by humans, it would make little sense SPAMming the address, and the automation can easily discard any mail that does not follow the well defined report format.
Failure/forensic reports may be read by humans, but again the reports do not look like ordinary office mail, so any spam would be easy to spot.
I have not noticed any spam at our DMARC reporting address, but some legitimate reports do end up in the Unwanted Mail folder.
Maybe the DMARCIAN folks can supply solid spam statistics?