It doesn't. The fact pattern you've just presented is settled law: it might be a tort, it might be some other violation of state law, but it's not a CFAA violation.

I feel like I purposely chose a fact pattern that couldn't meaningfully be distinguished from a DDoS except by the rate, which wasn't specified.

I get that there are cases where someone exceeded a rate limit by a moderate amount and that was fine -- although it's still bad that figuring that out required them to go to court to begin with -- but it seems like we're missing the thing that tells you where the line is. Unless it's really not a violation to just permanently render someone's site inaccessible because you have a lot more bandwidth than them and constantly want the latest version of whatever's on it?

Which is the problem with doing it this way. You don't have anyone working things through to come up with a good rule and give people clarity from the start, so instead it all gets decided slowly over time through expensive litigation.