PHP

Do you take into account the intensity of requests from the user and how do you protect the application?

In my application, the user is authorized and can perform some actions. In particular, upload photos. Photos are loaded in real time via ajax. Photos are resized on the server.
And so I thought that an attacker could simply log in, get an authorization token, write a script that would send a huge number of pictures on his behalf and put the server down. It's so simple.
That is, it is enough to find the most resource-intensive operation and flood the server with a large number of requests for it.
Here it would be possible to use queues. They will save the server from overload, because all these pictures will not be processed at the same time, but they will still block the work, because the whole queue will be clogged with the attacker's pictures and the ordinary user's pictures will be at the end of the queue.
Here is such a banal question came to mind. Tell me, do you take into account somehow such situations? Do they need to be considered in advance? Or maybe the hoster takes the job of blocking such attacks (at least a primitive one, when someone ran the script from their home PC)? During a DDos attack, the hoster (Hetzner) himself identified and blocked such an attack. But then it was about ordinary requests that do not load the server. And requests for downloading images would need to be an order of magnitude smaller for the server to crash.
Thank you.