What do rate limit by? There's billions of IP addresses a spammer could use, captchas can be solved by offshore farms, there's almost nothing to go by.
Nothing really stopping somebody automating the creation of those either when you're up against people with ridiculous amounts of cost-free (read, botnet) resources to spam with. The Bitcoin reddit gets flooded with spam on an almost minutely basis despite reddits heavy rate limiting and captchas.
I agree a lot of this becomes cat and mouse game but rate limiting is necessary for the health of their system if not to counter same basic spam prevention. Ideally you want to remove the incentive to spam, which in this case is figuring out emails that have registered coin base accounts that could later be phished.
Lots of small businesses are perfectly happy to lock out foreign IP addresses on the slightest breeze, and it's probably a good result because for those businesses 1000 out of 1000 requests from the Eastern Hemisphere are hostile.
If you are saying "malicious requests only come from foreign countries" then of course that is silly.
But "for these businesses every connection from certain continents is an attack" is absolutely true.
I've worked with these businesses, worked with their CEO on their business needs, and seen their internet traffic. They, really, have absolutely no need to interact with Asia. They aren't hotshot SV companies trying to become the global leader of VR selfies, they are just boring[1] businesses sending plain old physical goods to customers within a thousand miles of them.
[1] Boring isn't a pejorative in my mind, but I know it is for some other people.
Granted it is not a critical flaw, but is having no limits over time really necessary for Coinbase API users?