This is related to https://hackerone.com/reports/1173684
The endpoint you hit does have bruteforce protection
https://github.com/nextcloud/server/blob/master/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php#L126
But this is only triggered by finding a share that is password protected
https://github.com/nextcloud/server/blob/master/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php#L157
Or a file drop public share
https://github.com/nextcloud/server/blob/master/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php#L166
In other words this endpoint can also be used to try to brute force share tokens.
Low just like on the other report. But should be fixed non the less.