Proof-of-work is bad rate limiting: https://news.ycombinator.com/item?id=44093918. The playing field is wildly unbalanced. Even naive attackers tend to have a lot more computing power available than a lot of your normal users, and where it’s SHA-256 (which is almost the worst choice imaginable for a proof of work scheme, yet which every single service that I know of has used), an intelligent attacker goes from being hundreds of times as powerful to millions of times as powerful.

I agree with this assessment but for many applications it's a viable approach, until the attacker goes off and writes their own shader to solve the PoW. We go to back to threat modeling here, and looking at the amount of effort vs gain here.

They're now integrating Argon2ID in an attempt to squash GPU hacks but it places ridiculous demands on the client being Memory hard.