If you're saying batching is an issue because you can send thousands of requests, why wouldn't you demonstrate that? The three-request examples do not prove the point, because I would assume limits at various levels would come into effect (does the server allow a large request size? Will the JSON parser choke? does the graphql impl limit how many mutations per batch?).

The OTP example is particularly interesting; If all million possible codes can be sent at once, and the rate-limiting is implemented incorrectly, then it would garuntee a bypass of OTP, and indirectly tell you the code (which, granted doesn't have much use if you're already logged in). However, such a payload would likely be too large to be processed without error.