This is consideration 3 in the parent issue.
Need to think about a method of letting the existing anti-abuse tools (for example Akeeba's Admin Tools) work with the .onion, preferably without risking a single bad actor temporarily blocking access for anyone visiting via the .onion.
One option would be to present the abuse script with an otherwise valid source IP so it can block that instead.
Ideally, that fake IP would be tied to a session in some way, so that the attacker would need to fully disconnect and re-connect.
I had wondered if the Tor client might re-use the same source port when forwarding onto Nginx for a given circuit (i.e. if there was some small element of NAT) but the port changes with each new request, so we'd only be blocking a keep-alive session if it were tied to the port (which might be an acceptable compromise).
The aim is to try and devise something sane which can be implemented at server level without needing to modify the protection scripts themselves.