Rate limiting doesn't protect against credential stuffing either -- it doesn't manifest as a brute-force attack, they rarely originate from a single ip/network you could reasonably rate limit against, and even if you could magically rate limit them you've already lost because you let the bots try their stolen credentials in the first place. Your only real defense is to have a system that identifies bots directly to make it so attackers can't automate spamming credentials across a bunch of different sites.
If you let attackers have like 10 attempts per ip per minute and you're a site where a bunch of people have accounts then you're gonna become an instant favorite for testing stolen creds.
I just buy captcha solvers in india or use a bypass like the Recaptcha Text to Speech challenge that regulary gets abused by extensions like Buster. (Yes, you can use google speech to text to solve the text to speech captchas.)
Captchas don't really work, the only things they do is let google track more people and annoy humans. You let your users train their AI for little to no protection agains a willing attacker. I'll admit captchas protect against many scriptkiddies that buy passwords. I'd rather teach my users to use a password manager or support passwordless login than let them click on cars for "security".
