When you say web site logins are set up not to allow brute force attacks, I suppose you mean how they for example allow 3 attempts, then ban attempts for x amount of time (like many phone logins)?
I’m by no means a security expert, nor have I formally studied this in any way… that being said …
As far as I know, you’re correct in that the method I mentioned prevents most sites from being attacked via brute force.
I think there’s still a concern if an attacker somehow can make their way around the “front door” - the website login page - and somehow access the password database directly, as is often the case when you hear of a company getting hacked.
To my knowledge, these password databases are hashed - basically encrypted - not stored in plaintext for security purposes (otherwise company employees can also see users’ passwords). However, if an attacker has direct access to that database, they can perform a direct brute force attack on that. Basically, if they know the hash/encryption method, they can guess a password and see if the hashed/encrypted form matches what’s stored in the database.
To learn more about how passwords are stored in a database, including how hashing works, here’s a 10 minute video I found helpful: https://www.youtube.com/watch?v=8ZtInClXe1Q
But definitely, if anyone else has “actual” knowledge to help answer this question, I’d love to hear.