Okay cool, I am wondering if there are any more similar to purplepag.es that only handle kind 0 and 10002. Haven't heard of any yet. Also, NIP-65 mentions in point 5 of the Final Considerations: "If a relay signals support for this NIP in their NIP-11 document that means they're willing to accept kind 10002 events from a broad range of users, not only their paying customers or whitelisted group." This could open a relay up to a DoS where the hardrive fills up with noise generated as quickly as npubs can be generated and bandwidth is able to transmit. There is a case, I think, when signalling NIP-65 support only for paying customers (and perhaps also their network) is desired. However, I am not certain how NIP-11 documents are currently utilized.
Relays shouldn't be blind to who is connecting to them. I've mentioned multiple times to other relay developers and nobody seems to listen... but you can ban IP addresses. Even if you are getting a DDoS those are from a subset of IP addresses that will have to repeat at some point and then you know which ones to ban. Banning doesn't have to be only by pubkey. Will this hurt VPN users... yes. But VPNers accepted this as part of the cost of privacy. I don't know of a perfect solution.