The one’s i’ve seen are not on Facebook messenger. They are left as a comment after someone posts something to their profile.
They can do this simply by someone accepting their friend request? I understand email, opening attachments etc. But how would this be done through Facebook?
Back when I used to use Facebook, I actually bought a lot of the advertised stuff (I am shamefully vulnerable to advertisements) and I am definitely the kind of person who would post a glowing review or commiserate with a complete stranger about something or other. I would not buy a plexiglass pet memorial, however I have bought a bathing suit, a makeup brush, a book about feelings for my young son, and other products which were just about as awesome as advertised. I’m probably forgetting all the duds due to confirmation bias, but at any rate, my impulse spending has decreased considerably since leaving Facebook.
I almost bought one of these too. Good to know.
A trojan typically wouldn’t be through a friend request. A trojan would get installed on the computer or phone through a virus that might come from clicking on a link, visiting an infected website, or something like that. It probably wouldn’t have anything to do with Facebook. But once the trojan is on the computer, it can pretty much do whatever it wants, such as read files, run programs, send emails, save keystrokes, take screen shots, etc. The trojan could pretend to be a web browser and connect to Facebook as that person using the Facebook cookie on the computer, and then post whatever it wanted using that person’s profile. Most people are safe from this if they are running virus scanners, but not everyone does that.
How many potpourri bowls and bags do you currently possess? 
I’m just sayin’. We’re out there. Though I’m not that Amazon person. Those replies always crack me up.
One of the slightly different ways for scammers to make money from a big list of username + password is to NOT use them to scam you financially – you notice that pretty quickly and change your username/password. Instead they use this list to post comments as if they came from you. This can be a long-term money-maker for them – it can go on for a long time without being noticed.
They then sell this as a ‘service’ to companies who want their product to have lots of glowing reviews that appear to come from real people. The product company provides a file of various glowing comments, and the paid company software posts these under various real identities. Sometimes referred to as ‘borrowed identities’, because compared to ‘stolen identities’, the scammer is not depriving you of the use of your identity – they are just posting some other stuff in addition to what the real person is posting.
(The previous version of this was that they hired real people from a poor country (like Nigeria) to post such comments at x¢ apiece. But their poor English and lack of info on the product often made these easy to spot. Plus that’s slower/less reliable than having software do it.)
Maybe it’s because you really are a beautiful and inspiring person. Don’t sell yourself short. 
That’s the opening salvo, if you add them as a friend or respond in any way, they’ll try to increase the engagement with messages on Messenger, or sending you a link to their other social media accounts like Instagram or TikTok. Eventually they’ll be looking for money.
I’ve got one friend on Facebook who seems to add these people all the time. Just dozens of “hot women” who occasionally post pictures, and he gushes about how beautiful they are on each one. Some guys are just that bad. I don’t know if he’s ever sent them any money, but it wouldn’t surprise me to learn he had.