How does B2C handle this situation? I couldn't find anything on docs.microsoft.com

Azure AD B2C does provide password lockout. The logic and duration is not a straight forward, "lock out X minutes with exponential cooldown after Y wrong password attempts." There's an intelligent and evolving algorithm that considers many other signals to disambiguate between bad actors and mistakes and other benign scenarios.

Read more about in the Azure AD B2C Threat Management documentation