The bruteforce protection element has to be server side, because the clientside can always be manipulated in the browser

Totally agree. 'Bruteforce' argument is invalid.