Resource exhaustion, so were just asking for a whitelist for sessions I suppose. It's still possible to overwhelm a server by repeatedly requesting auth upgrades too, deplete the RNG pool requesting challenges. So rate limiting still applies, and can mostly solve the exhaustion problem.
I think it's fair to just say whitelist may be useful for reading. I don't think it helps any more than rate limiting for resource exhaustion.