Even if API rate limit exists and is strictly enforced, it's also easy to bypass it with multiple API keys and over time. Most people adhere to a weekly schedule.

Rate limits can also be based on the message contents, e. g. max 20 lookups per day for a cell.

Assuming you already know what continent somebody is on, 20 circles of 200km radius (120 miles) should cover most of the major population centers.

If you live out in Nebraska or the middle of the Sahara this attack is easy to defend against, but humans tend to clump up.

Sounds like a great way to DoS someone out of being able to use their banking app.

Depends on the limit and how it's implemented