In looking at T165803: Login API shouldn't lock you out in case you make too many correct logins I realized that BotPasswords doesn't do any login throttling.
The only caller is ApiLogin, and all code paths there currently will also call AuthManager, which by default will do throttling. But that throttling only occurs after the BotPassword login is attempted, so an attacker could ignore the throttling messages to keep attempting to attack a BotPassword.