A properly configured WAF is arguably necessary to maintain SLAs on an API available on the web. Bad actors will hammer any open API endlessly unless the API shows signs of defense. This can affect connection latency for good users and cost for the business. Why would you ever bother processing (and cause server and database load and charges) for a million bogus login or search requests if the WAF can handle it automatically and basically for free?

Most bad actors are looking for easy targets and will move on when seeing minimal defenses. If we want to continue enjoying an open and accessible internet where any client that speaks the protocol can connect, then WAFs are an integral part of maintaining that public service.