The actual brute-force protection functionality and the “Brute-force settings” app are two separate things.
The brute-force protection is part of the core and is enabled by default.
It is not installed as an app, and therefore cannot be disabled or uninstalled via the Apps menu or the occ app command. It can only be disabled by adding the following line to the config.php:
'auth.bruteforce.protection.enabled' => false,
The “Brute-force settings” app, as the name suggests, is just a settings app that provides an interface in the webUI to exclude certain IPs or IP ranges from the brute-force protection.
Disabling the “Brute-force settings” app does not disable the actual brute-force protection, it just removes the settings from the UI.
The pull request you linked to is about enabling the “brute-force settings” app by default, and not about the actual brute-force protection functionality, which has been enabled by default since it moved to the core.
That is good to hear. The gh issue is still valid in my opinion, since the doc now wrongfully claims, that the settings app is enabled by default, which is not true?
Well, if the linked pull request is accepted, the part where it says it’s enabled by default would be removed from the documentation, although I think it would make more sense to actually enable the app by default instead
Anyway, that’s all we can do here in the forums, but feel free to open an issue on GitHub or add a comment to this pull request.