While I definitely agree with that suggestion (who wouldn’t? Except vandals themselves), I fail to see how it is related to this discussion about replacing Basic Auth with OAuth2 ?
As I see it, the issue with vandalism is completely the same regardless if vandal is using Basic auth or OAuth2 bearer token in their script? It is literally single line change. Or am I missing something?
Regarding vandalism and limits, rather see / chime in this topic (and others linked to it):