Excellent point! It's not hard for a single attacking context to have the resources to generate vast numbers of requests in parallel. If a botnet is involved, it can use different originating IP addresses.

And so, that's why we need proof of work; thank you for bringing my derailed narrative back on the proper technical track.