Most of the brute force protections don’t actually throttle() the response and so they are not logging negative attempts
Search for functions with the @BruteForceProtection
annotation and check that they call throttle()
on the response at least conditionally.
Brute force protection is not throttling any requests:
https://github.com/nextcloud/server/blob/b70c6a128fe5d0053b7971881696eafce4cb7c26/lib/private/AppFramework/Middleware/Security/BruteForceMiddleware.php#L78-L82