It can protect APIs as much as any other URL. Or more simply you could disallow any unauthenticated API access in gitea or at the reverse proxy level?
cannot protect against bot traffic coming from many different residential proxies
It can block anything that doesn’t pass the proof-of-work/JS challenge. Most bots don’t interpret JS.
The scraping/bandwidth abuse problem can easily be worked around.
But there still are actual good reasons to not host a public forge.
For example, as long as pull requests are allowed (which is required for actual contributors), anyone can abuse the PR feature to fork your repository, then start pushing random shit into their fork (since the fork is an actual separate git repository).
Bad actors can do it on github all they want, it’s not my storage, not my server used to host potentially illegal content.
Self-hosting public services where you are the only authenticated user and sole publisher of content is easy (using your public forge as a mirror with account creation disabled is fine), hosting other’s people content is another can of worms. Think twice before you do that.
unattended-upgrades