They aren't defenses, they're precautions. The program can be written cautiously so as not to "flood" anything. I find it extremely unlikely that it will have thousands of simultaneous users, but even if it does, it can be self-throttling.

The program will not identify phishing sites. The user will. The program will only fill out forms on the page the user identifies. Your assumption that the program would try to find phishing sites automatically is a feature I'd never considered.