Additional explanation: this is primarily a personal setup.
There would be a lot of refinement and contingencies to implement something like this for corporate / business.
Having said that, I still exist on the ruthless side of blocking equation. I'd generally prefer some kind of small allow list than a gigantic block list, but this is how it's (d)evolved.
How is this better than blocking after a certain quantity in a range of time instead?
Single queries should never be harmful to something openly accessible. DOS is the only real risk, and blocking after a certain level of traffic solves that problem much better with less possibility of a false positive, and no risk to your infrastructure, either.