NGINX Rate Limiting > ideal place to implement rate limiting as it is more resource-efficient for this task. If this snippet as default in Web template, it will be more effective for HestiaCP..
If you use that, you still need to modify the web templates to include something like limit_req zone=mylimit burst=10 nodelay; in the server or location block.
Also, if a site is using a CDN, you could end up blocking a lot of requests because you are using $binary_remote_addr to get the IP, and that IP will be one of the IPs used by the CDN, not the actual clients. Hestia already configures Nginx to get the client IP for Cloudflare requests, so you could use $real_ip_header instead of $binary_remote_addr. Users behind company proxies, CGNAT, etc., could also be affected by this limit.
That said, I don’t think it’s recommended to add this by default due to the different use cases of Hestia, the various types of sites, client request patterns, CDNs, and so on.