If you have a client app that you think is reliably filtering spam, then to be blunt: you aren't receiving any spam, at least to first approximation. My stack of stuff on my three decade old personal account has a 95%+ hit rate (something I might naively be tempted to label as "reliably filtering spam"), and I see see more spam than signal in the inbox.

GMail, on the other hand, is damn close to 100%. And it does it through excruciating application of heuristics like "don't trust agents that don't set SHOULD headers".

But GMail is accepting the Mails from his payment processor? It's just Google Workspace that won't

They're variants of the same software stack. But that's sort of the thing: email filtering (the only thing that makes email useful) requires tuning and heuristics. Decisions that are effective for personal email may not be for the spam faced by corporate clients, and vice versa.

No one (at least no one serious) thinks you can just implement some RFCs and get a product that works and doesn't suck. Life just isn't like that.

I'm just speculating, but probably because you're on an email provider that isn't a big enough target to worry about the persistent threat-actor model.

Google is a big enough target to justify spending the resources on dedicated attacks against their infra. Other providers may simply get less spam because their email domain shows up less often in the sources attackers use to pick targets.